org.webjars.npm:https-proxy-agent 2.1.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:https-proxy-agent package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Man-in-the-Middle (MitM) org.webjars.npm:https-proxy-agent is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client. PoC by Kris Adler `var url = require('url'); var https = require('https'); var HttpsProxyAgent = require('https-proxy-agent'); var proxyOpts = url.parse('http://127.0.0.1:80'); var opts = url.parse('https://www.google.com'); var agent = new HttpsProxyAgent(proxyOpts); opts.agent = agent; opts.auth = 'username:password'; https.get(opts);` How to fix Man-in-the-Middle (MitM)? Upgrade `org.webjars.npm:https-proxy-agent` to version 2.2.3 or higher.	[,2.2.3)
H Uninitialized Memory Exposure `https-proxy-agent` provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module. Affected versions of this package are vulnerable to Uninitialized Memory Exposure and Denial of Service (DoS) attacks due to passing unsanitized options to Buffer(arg). Note: CVE-2018-3739 is a duplicate of CVE-2018-3736. How to fix Uninitialized Memory Exposure? Upgrade `https-proxy-agent` to version 2.2.0 or higher. Note This is vulnerable only for Node <=4	[,2.2.0)

Vulnerability

Vulnerable Version

Man-in-the-Middle (MitM)

org.webjars.npm:https-proxy-agent is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

PoC by Kris Adler

var url = require('url');
var https = require('https');
var HttpsProxyAgent = require('https-proxy-agent');

var proxyOpts = url.parse('http://127.0.0.1:80');
var opts = url.parse('https://www.google.com');
var agent = new HttpsProxyAgent(proxyOpts);
opts.agent = agent;
opts.auth = 'username:password';
https.get(opts);

How to fix Man-in-the-Middle (MitM)?

Upgrade org.webjars.npm:https-proxy-agent to version 2.2.3 or higher.

[,2.2.3)

Uninitialized Memory Exposure

https-proxy-agent provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.

Affected versions of this package are vulnerable to Uninitialized Memory Exposure and Denial of Service (DoS) attacks due to passing unsanitized options to Buffer(arg).

Note: CVE-2018-3739 is a duplicate of CVE-2018-3736.

How to fix Uninitialized Memory Exposure?

Upgrade https-proxy-agent to version 2.2.0 or higher. Note This is vulnerable only for Node <=4

[,2.2.0)

org.webjars.npm:https-proxy-agent@2.1.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?

PoC by Kris Adler