In ced v0.1.0, passing data types other than Buffer
causes the Node.js process to crash.
The problem has been patched in ced v1.0.0. You can upgrade from v0.1.0 without any breaking changes.
Before passing an argument to ced, verify itβs a Buffer
using Buffer.isBuffer(obj)
.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C
Base Score: 7.5 (High)
Temporal Score: 7.2 (High)
Since ced is a library, the scoring is based on the βreasonable worst-case implementation scenarioβ, namely, accepting data from untrusted sources over a network and passing it directly to ced. Depending on your specific implementation, the vulnerabilityβs severity in your program may be different.
const express = require("express");
const bodyParser = require("body-parser");
const ced = require("ced");
const app = express();
app.use(bodyParser.raw());
app.post("/", (req, res) => {
const encoding = ced(req.body);
res.end(encoding);
});
app.listen(3000);
curl --request POST --header "Content-Type: text/plain" --data foo http://localhost:3000
crashes the server.