Resource exhaustion in https-proxy-agent - CVE-2018-3739
Published: August 7, 2018 / Updated: August 8, 2018
Vulnerability identifier: #VU14225
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2018-3739
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: npm Inc.
Affected software:
https-proxy-agent
https-proxy-agent
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.
The vulnerability exists due to improper sanitization of the auth option passed to the Buffer() constructor. A remote attacker can submit a malicious input to the auth paramete, consume excessive CPU resources and cause the service to crash or trigger memory leak to gain access to arbitrary data.
How to mitigate CVE-2018-3739
Update to version 2.2.0 or later.