<p>Upgrade <code>node-weakauras-parser</code> to version 1.0.5, 2.0.2, 3.0.1 or higher.</p>

=3.0.0 <3.0.1

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-NODEWEAKAURASPARSER-564886
published 8 Apr 2020
disclosed 7 Apr 2020
credit Velithris

Report a new vulnerability Found a mistake?

Introduced: 7 Apr 2020

CWE-120 Open this link in a new tab

How to fix?

Upgrade node-weakauras-parser to version 1.0.5, 2.0.2, 3.0.1 or higher.

Overview

node-weakauras-parser is a native module for Node.js that does deserialization/serialization of WeakAuras' strings.

Affected versions of this package are vulnerable to Buffer Overflow. The encode_weakaura function fails to properly validate the input size. A buffer of 13835058055282163711 bytes causes an overflow on 64-bit systems.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

None
Integrity (I)

Low
Availability (A)

High

Buffer Overflow Affecting node-weakauras-parser package, versions >=1.0.4 <1.0.5 >=2.0.0 <2.0.2 >=3.0.0 <3.0.1

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 7 Apr 2020

How to fix?

Overview

References

CVSS Scores

Snyk