I would like to report an uninitialized Buffer allocation issue in atob
.
It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed (e.g. from JSON), on Node.js 4.x and lower.
module name: atob
version:2.0.3npm page: https://www.npmjs.com/package/atob
> Uses Buffer to emulate the exact functionality of the browser’s atob.
492 191 downloads in the last day
2 890 027 downloads in the last week
11 036 537 downloads in the last month
The problem arises when a number is passed in, e.g. from user-submitted JSON-encoded data.
The API should not propagate the already-bad Buffer issue further.
On Node.js 4.x and below (4.x is still supported), this exposes uninitialized memory, which could contain sensitive data. This can be also used to cause a DoS by consuming the memory when large numbers are passed on input.
console.log(require('atob')(1000))
(note uninitialized memory in output)
console.log(require('atob')(1e8))
(note memory usage and time)
Run on Node.js 4.x (or below).
Sensitive uninitialized memory exposure
Denail of Service
This issue affects only setups using Node.js 4.x (still supported) or lower.