New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability in (virtually unused) stringstream dependency #2938
Comments
#2885 was merged |
@simov 2.86.x wasn't published on npm yet, and latest version published on npm still causes warnings. |
I've published it: https://snyk.io/test/npm/request |
@simov Thanks! |
Including just for searchability, this was also reported in NSP: https://nodesecurity.io/advisories/664 |
pkyeck
added a commit
to pkyeck/node-sdk
that referenced
this issue
May 17, 2018
b/c of security vulnerability (see request/request#2938)
tim-kos
pushed a commit
to transloadit/node-sdk
that referenced
this issue
May 17, 2018
b/c of security vulnerability (see request/request#2938)
This was referenced May 12, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
request 2.85.0 has a direct dependency on stringstream 0.0.5, which has a security vulnerability which leaks uninitialised memory.
https://snyk.io/vuln/npm:stringstream:20180511
https://hackerone.com/reports/321670
Expected Behavior
No vulnerability
Current Behavior
A vulnerable version of stringstream is installed and referenced in the request module.
(Admittedly it is unlikely it actually executes on any supported version of Node.js)
Possible Solution
stringstream is only necessary for very old versions of Node.js that are no longer supported (<0.9.4).
Pull request #2885 already exists to remove stringstream.
The text was updated successfully, but these errors were encountered: