Lucene search

K
githubGitHub Advisory DatabaseGHSA-5RWJ-J5M3-3CHJ
HistorySep 01, 2021 - 6:25 p.m.

Missing Release of Memory after Effective Lifetime in detect-character-encoding

2021-09-0118:25:16
CWE-401
GitHub Advisory Database
github.com
23

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.003

Percentile

69.9%

Impact

In detect-character-encoding v0.3.0 and earlier, allocated memory is not released.

Patches

The problem has been patched in detect-character-encoding v0.3.1.

CVSS score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C

Base Score: 7.5 (High)
Temporal Score: 7.2 (High)

Since detect-character-encoding is a library, the scoring is based on the โ€œreasonable worst-case implementation scenarioโ€, namely, using detect-character-encoding in a program accessible over the internet which becomes unavailable when running out of memory. Depending on your specific implementation, the vulnerabilityโ€™s severity in your program may be different.

Proof of concept

const express = require("express");
const detectCharacterEncoding = require("detect-character-encoding");

const app = express();

app.get("/", (req, res) => {
  detectCharacterEncoding(Buffer.from("foo"));

  res.end();
});

app.listen(3000);

hey -n 1000000 http://localhost:3000 (hey) causes the Node.js process to consume more and more memory.

References

Affected configurations

Vulners
Node
detect-character-encoding_projectdetect-character-encodingRange<0.3.1node.js

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.003

Percentile

69.9%

Related for GHSA-5RWJ-J5M3-3CHJ