GHSA-5rwj-j5m3-3chj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5rwj-j5m3-3chj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-5rwj-j5m3-3chj/GHSA-5rwj-j5m3-3chj.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-5rwj-j5m3-3chj
- Aliases
- Related
- Published
- 2021-09-01T18:25:16Z
- Modified
- 2023-11-01T04:56:04.663557Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Missing Release of Memory after Effective Lifetime in detect-character-encoding
- Details
-
Impact
In detect-character-encoding v0.3.0 and earlier, allocated memory is not released.
Patches
The problem has been patched in detect-character-encoding v0.3.1.
CVSS score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C
Base Score: 7.5 (High) Temporal Score: 7.2 (High)
Since detect-character-encoding is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, using detect-character-encoding in a program accessible over the internet which becomes unavailable when running out of memory. Depending on your specific implementation, the vulnerability’s severity in your program may be different.
Proof of concept
const express = require("express"); const detectCharacterEncoding = require("detect-character-encoding"); const app = express(); app.get("/", (req, res) => { detectCharacterEncoding(Buffer.from("foo")); res.end(); }); app.listen(3000);hey -n 1000000 http://localhost:3000(<code>hey</code>) causes the Node.js process to consume more and more memory.References
- https://github.com/sonicdoe/detect-character-encoding/commit/d44356927b92e3b13e178071bf6d7c671766f588
- https://github.com/sonicdoe/detect-character-encoding/pull/6
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2021-08-31T19:58:46Z", "nvd_published_at": "2021-08-31T18:15:00Z", "severity": "HIGH", "cwe_ids": [ "CWE-401" ] }- References
-
- https://github.com/sonicdoe/detect-character-encoding/security/advisories/GHSA-5rwj-j5m3-3chj
- https://nvd.nist.gov/vuln/detail/CVE-2021-39176
- https://github.com/sonicdoe/detect-character-encoding/pull/6
- https://github.com/sonicdoe/detect-character-encoding/commit/d44356927b92e3b13e178071bf6d7c671766f588
- https://github.com/sonicdoe/detect-character-encoding
- https://github.com/sonicdoe/detect-character-encoding/releases/tag/v0.3.1
Affected packages
npm / detect-character-encoding
Package
- Name
- detect-character-encoding
- View open source insights on deps.dev
- Purl
- pkg:npm/detect-character-encoding