Affected versions of tough-cookie
are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.
If node was compiled using the -DHTTP_MAX_HEADER_SIZE
however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.
Update to version 2.3.3 or later.
gulp-uncss>uncss>request>tough-cookie
Versions of tunnel-agent
before 0.6.0 are vulnerable to memory exposure.
This is exploitable if user supplied input is provided to the auth value and is a number.
Proof-of-concept:
require('request')({
method: 'GET',
uri: 'http://www.example.com',
tunnel: true,
proxy:{
protocol: 'http:',
host:'127.0.0.1',
port:8080,
auth:USERSUPPLIEDINPUT // number
}
});
Update to version 0.6.0 or later.
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-wrapper>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-wrapper>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>download>caw>tunnel-agent
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-wrapper>download>caw>tunnel-agent
gulp-uncss>uncss>request>tunnel-agent
Versions of lodash
before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object
via {constructor: {prototype: {...}}}
causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
favicons-webpack-plugin>favicons>cheerio>lodash
Versions of lodash
before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object
via {constructor: {prototype: {...}}}
causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
favicons-webpack-plugin>favicons>merge-defaults>lodash
Versions of lodash
before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object
via {constructor: {prototype: {...}}}
causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
gulp-uncss>uncss>lodash
Versions of hoek
prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge
function, and the applyToDefaults
and applyToDefaultsWithShallow
functions which leverage merge
behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__
property.
This can be demonstrated like so:
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Update to version 4.2.1, 5.0.3 or later.
gulp-cli>wreck>boom>hoek
gulp-cli>wreck>hoek
gulp-uncss>uncss>request>hawk>boom>hoek
gulp-uncss>uncss>request>hawk>cryptiles>boom>hoek
gulp-uncss>uncss>request>hawk>hoek
gulp-uncss>uncss>request>hawk>sntp>hoek
Affected versions of tough-cookie
may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie
header.
Update to version 2.3.0 or later.
gulp-uncss>uncss>request>tough-cookie
Version of braces
prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Upgrade to version 2.3.1 or higher.
browser-sync>micromatch>braces
favicons-webpack-plugin>webpack>watchpack>chokidar>anymatch>micromatch>braces
gulp-cli>matchdep>micromatch>braces
gulp-imagemin>imagemin>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-build>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-wrapper>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-gifsicle>gifsicle>bin-wrapper>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-build>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-wrapper>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-jpegtran>jpegtran-bin>bin-wrapper>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-build>download>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-wrapper>download>gulp-decompress>decompress>vinyl-fs>glob-stream>micromatch>braces
gulp-imagemin>imagemin>imagemin-optipng>optipng-bin>bin-wrapper>download>vinyl-fs>glob-stream>micromatch>braces
gulp-load-plugins>findup-sync>micromatch>braces
gulp-load-plugins>micromatch>braces
panini>vinyl-fs>glob-stream>micromatch>braces
webpack-stream>webpack>watchpack>chokidar>anymatch>micromatch>braces
Versions of lodash
before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object
via __proto__
causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
favicons-webpack-plugin>favicons>cheerio>lodash
Versions of lodash
before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object
via __proto__
causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
favicons-webpack-plugin>favicons>merge-defaults>lodash
Versions of lodash
before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object
via __proto__
causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
gulp-uncss>uncss>lodash
Affected versions of debug
are vulnerable to regular expression denial of service when untrusted user input is passed into the o
formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.
favicons-webpack-plugin>favicons>node-rest-client>debug