node-libcurl@3.0.0 vulnerabilities

The fastest http(s) client (and much more) for Node.js - Node.js bindings for libcurl

latest version

4.0.0
first published

11 years ago
latest version published

9 months ago
licenses detected
- MIT
  >=0
View node-libcurl package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the node-libcurl package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
L External Control of File Name or Path Affected versions of this package are vulnerable to External Control of File Name or Path via the `curl_easy_duphandle` function, allowing an attacker to insert cookies into a running program using this library. When this function is used to duplicate an easy handle with cookies enabled, the cookie-enable state is also cloned. However, the actual cookies are not cloned, and if the source handle did not read any cookies from a specific file on disk, the cloned handle would store the file name as `none`. Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would inadvertently load cookies from a file named `none`. Note: This is only exploitable if a file named `none` exists and is readable in the current directory of the program using `libcurl` and in the correct file format. Changelog: 2023-10-04: Initial publication 2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range. How to fix External Control of File Name or Path? There is no fixed version for `node-libcurl`.	*
H Heap-based Buffer Overflow Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the `SOCKS5` proxy handshake process when the hostname is longer than the target buffer and larger than 255 bytes. The local variable `socks5_resolve_local` could get the wrong value during a slow SOCKS5 handshake. Since the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer. This is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer. Exploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions. Note: An overflow is only possible in applications that don't set `CURLOPT_BUFFERSIZE` or set it smaller than 65541. Since the curl tool sets `CURLOPT_BUFFERSIZE` to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second. The options that cause SOCKS5 with remote hostname to be used in `libcurl`: `CURLOPT_PROXYTYPE` set to type `CURLPROXY_SOCKS5_HOSTNAME`, or: `CURLOPT_PROXY` or `CURLOPT_PRE_PROXY` set to use the scheme `socks5h://` One of the proxy environment variables can be set to use the `socks5h://` scheme. For example, `http_proxy`, `HTTPS_PROXY` or `ALL_PROXY`. The options that cause SOCKS5 with remote hostname to be used in the `curl` tool: `--socks5-hostname`, `--proxy` or `--preproxy` set to use the scheme `socks5h://` Environment variables as described in the libcurl section. Changelog: 2023-10-04: Initial publication 2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range. How to fix Heap-based Buffer Overflow? There is no fixed version for `node-libcurl`.	*

External Control of File Name or Path

Affected versions of this package are vulnerable to External Control of File Name or Path via the curl_easy_duphandle function, allowing an attacker to insert cookies into a running program using this library.

When this function is used to duplicate an easy handle with cookies enabled, the cookie-enable state is also cloned. However, the actual cookies are not cloned, and if the source handle did not read any cookies from a specific file on disk, the cloned handle would store the file name as none. Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would inadvertently load cookies from a file named none.

Note:

This is only exploitable if a file named none exists and is readable in the current directory of the program using libcurl and in the correct file format.

Changelog:

2023-10-04: Initial publication

2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.

How to fix External Control of File Name or Path?

There is no fixed version for node-libcurl.

Heap-based Buffer Overflow

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the SOCKS5 proxy handshake process when the hostname is longer than the target buffer and larger than 255 bytes. The local variable socks5_resolve_local could get the wrong value during a slow SOCKS5 handshake. Since the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer.

This is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.

Exploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.

Note:

An overflow is only possible in applications that don't set CURLOPT_BUFFERSIZE or set it smaller than 65541. Since the curl tool sets CURLOPT_BUFFERSIZE to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.

The options that cause SOCKS5 with remote hostname to be used in libcurl:

CURLOPT_PROXYTYPE set to type CURLPROXY_SOCKS5_HOSTNAME, or: CURLOPT_PROXY or CURLOPT_PRE_PROXY set to use the scheme socks5h://
One of the proxy environment variables can be set to use the socks5h:// scheme. For example, http_proxy, HTTPS_PROXY or ALL_PROXY.

The options that cause SOCKS5 with remote hostname to be used in the curl tool:

--socks5-hostname, --proxy or --preproxy set to use the scheme socks5h://
Environment variables as described in the libcurl section.

Changelog:

2023-10-04: Initial publication

2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.

How to fix Heap-based Buffer Overflow?

There is no fixed version for node-libcurl.

Go back to all versions of this package

node-libcurl@3.0.0 vulnerabilities

The fastest http(s) client (and much more) for Node.js - Node.js bindings for libcurl

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities