Avoid using all malicious instances of the esqpaypallgtbint package.

webtorrent@0.94.0 vulnerabilities

Streaming torrent client

latest version

2.5.10

latest non vulnerable version

2.5.10

first published

11 years ago

latest version published

3 days ago

licenses detected

MIT
>=0

View webtorrent package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the webtorrent package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
L Cross-site Scripting (XSS) webtorrent is a streaming torrent client for node.js and the browser. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via `createServer()`, and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context. The WebTorrent HTTP server only allows fetching data pieces from the torrent allowing attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain. How to fix Cross-site Scripting (XSS)? Upgrade `webtorrent` to version 0.107.6 or higher.	<0.107.6
L DNS Rebinding webtorrent is a streaming torrent client for node.js and the browser. Affected versions of this package are vulnerable to DNS Rebinding. When the request hostname does not match the user-provided `opts.hostname` value. It omits the `Access-Control-Allow-Origin` header, instead of stop processing the request and return nothing. How to fix DNS Rebinding? Upgrade `webtorrent` to version 0.105.2 or higher.	<0.105.2

Cross-site Scripting (XSS)

webtorrent is a streaming torrent client for node.js and the browser.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via createServer(), and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context. The WebTorrent HTTP server only allows fetching data pieces from the torrent allowing attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain.

How to fix Cross-site Scripting (XSS)?

Upgrade webtorrent to version 0.107.6 or higher.

<0.107.6

DNS Rebinding

webtorrent is a streaming torrent client for node.js and the browser.

Affected versions of this package are vulnerable to DNS Rebinding. When the request hostname does not match the user-provided opts.hostname value. It omits the Access-Control-Allow-Origin header, instead of stop processing the request and return nothing.

How to fix DNS Rebinding?

Upgrade webtorrent to version 0.105.2 or higher.

<0.105.2

Go back to all versions of this package