Lucene search

Veracode Vulnerability DatabaseVERACODE:41444

HistoryJul 21, 2023 - 10:45 a.m.

Denial Of Service (DoS)

2023-07-2110:45:09

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

feathersjs

transport-commons

vulnerability

nodejs

process

crash

invalid string conversions

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.9%

JSON

@feathersjs/transport-commons is vulnerable to Denial of Service (DoS) attacks. The vulnerability is due to invalid string conversions such as ${{ toString: '' }}, which causes the Feathers socket handler to crash the NodeJS process because its unable to handle invalid string conversions.

References

github.com/advisories/GHSA-hhr9-rh25-hvf9

github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19

github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19

github.com/feathersjs/feathers/commit/0b9a6b19b12ad05934e4c8bd9917448ed39d1ed8

github.com/feathersjs/feathers/commit/c397ab3a0cd184044ae4f73540549b30a396821c

github.com/feathersjs/feathers/pull/3241

github.com/feathersjs/feathers/pull/3242

github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.9%

JSON

Related for VERACODE:41444