Homepage
About Snyk

Improper Input Validation Affecting kurwov package, versions >=3.1.0 <3.2.5

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-KURWOV-6808831
  • published 5 May 2024
  • disclosed 3 May 2024
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 3 May 2024

CVE-2024-34075 Open this link in a new tab
CWE-20 Open this link in a new tab

How to fix?

Upgrade kurwov to version 3.2.5 or higher.

Overview

kurwov is an a markov chain library

Affected versions of this package are vulnerable to Improper Input Validation due to improper data sanitization in the MarkovData#getNext method used in Markov#generate and Markov#choose. A maliciously crafted string in the dataset can cause the function to throw an error and stop running properly by exploiting the sanitization bypass when a forbidden substring followed by a space character is encountered. This leads to the data being defined as a special function found in its prototype instead of an array, and when data is indexed by a random number, it is supposed to return a string but returns undefined as it's a function, causing the endsWith call to throw.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
6.2 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High