GHSA-4rgj-8mq3-hggj

Suggest an improvement
Source
https://github.com/advisories/GHSA-4rgj-8mq3-hggj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-4rgj-8mq3-hggj/GHSA-4rgj-8mq3-hggj.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4rgj-8mq3-hggj
Published
2020-09-03T20:32:11Z
Modified
2020-08-31T18:49:38Z
Summary
Denial of Service in @hapi/subtext
Details

Versions of @hapi/subtext prior to 6.1.2 are vulnerable to Denial of Service (DoS). The package fails to enforce the maxBytes configuration for payloads with chunked encoding that are written to the file system. This allows attackers to send requests with arbitrary payload sizes, which may exhaust system resources leading to Denial of Service.

Recommendation

Upgrade to version 6.1.2 or later.

Database specific 
{
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-400"
    ],
    "github_reviewed_at": "2020-08-31T18:49:38Z",
    "github_reviewed": true
}
References

Affected packages

npm / @hapi/subtext

Package

Name
@hapi/subtext
View open source insights on deps.dev
Purl
pkg:npm/%40hapi/subtext

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.2