GHSA-3pcq-34w5-p4g2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3pcq-34w5-p4g2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-3pcq-34w5-p4g2/GHSA-3pcq-34w5-p4g2.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-3pcq-34w5-p4g2
- Aliases
- Related
- Published
- 2021-10-21T17:49:30Z
- Modified
- 2023-11-01T04:56:26.094132Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- modern-async's `forEachSeries` and `forEachLimit` functions do not limit the number of requests
- Details
-
Impact
This is a bug affecting two of the functions in this library:
forEachSeriesandforEachLimit. They should limit the concurrency of some actions but, in practice, they don't. Any code calling these functions will be written thinking they would limit the concurrency but they won't. This could lead to potential security issues in other projects.Patches
The problem has been patched in 1.0.4.
Workarounds
There is no workaround aside from upgrading to 1.0.4.
- Database specific
{ "nvd_published_at": "2021-10-20T19:15:00Z", "github_reviewed_at": "2021-10-20T17:39:03Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-400", "CWE-770" ] }- References
-
- https://github.com/nicolas-van/modern-async/security/advisories/GHSA-3pcq-34w5-p4g2
- https://nvd.nist.gov/vuln/detail/CVE-2021-41167
- https://github.com/nicolas-van/modern-async/issues/5
- https://github.com/nicolas-van/modern-async/commit/0010d28de1b15d51db3976080e26357fa7144436
- https://github.com/nicolas-van/modern-async
Affected packages
npm / modern-async
Package
- Name
- modern-async
- View open source insights on deps.dev
- Purl
- pkg:npm/modern-async