Lucene search

K
osvGoogleOSV:GHSA-27WQ-QX3Q-FXM9
HistoryAug 23, 2021 - 7:42 p.m.

Improper Handling of Unexpected Data Type in ced

2021-08-2319:42:28
Google
osv.dev
6

0.002 Low

EPSS

Percentile

64.5%

Impact

In ced v0.1.0, passing data types other than Buffer causes the Node.js process to crash.

Patches

The problem has been patched in ced v1.0.0. You can upgrade from v0.1.0 without any breaking changes.

Workarounds

Before passing an argument to ced, verify it’s a Buffer using Buffer.isBuffer(obj).

CVSS score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C

Base Score: 7.5 (High)
Temporal Score: 7.2 (High)

Since ced is a library, the scoring is based on the β€œreasonable worst-case implementation scenario”, namely, accepting data from untrusted sources over a network and passing it directly to ced. Depending on your specific implementation, the vulnerability’s severity in your program may be different.

Proof of concept

const express = require("express");
const bodyParser = require("body-parser");
const ced = require("ced");

const app = express();

app.use(bodyParser.raw());

app.post("/", (req, res) => {
  const encoding = ced(req.body);

  res.end(encoding);
});

app.listen(3000);

curl --request POST --header "Content-Type: text/plain" --data foo http://localhost:3000 crashes the server.

References

CPENameOperatorVersion
cedlt1.0.0

0.002 Low

EPSS

Percentile

64.5%

Related for OSV:GHSA-27WQ-QX3Q-FXM9