Missing Release of Memory after Effective Lifetime in detect-character-encoding

Impact

In detect-character-encoding v0.3.0 and earlier, allocated memory is not released.

Patches

The problem has been patched in detect-character-encoding v0.3.1.

CVSS score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C

Base Score: 7.5 (High)
Temporal Score: 7.2 (High)

Since detect-character-encoding is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, using detect-character-encoding in a program accessible over the internet which becomes unavailable when running out of memory. Depending on your specific implementation, the vulnerability’s severity in your program may be different.

Proof of concept

const express = require("express");
const detectCharacterEncoding = require("detect-character-encoding");

const app = express();

app.get("/", (req, res) => {
  detectCharacterEncoding(Buffer.from("foo"));

  res.end();
});

app.listen(3000);

hey -n 1000000 http://localhost:3000 (hey) causes the Node.js process to consume more and more memory.

References

• https://github.com/sonicdoe/detect-character-encoding/commit/d44356927b92e3b13e178071bf6d7c671766f588
• https://github.com/sonicdoe/detect-character-encoding/pull/6