Denial-of-Service Memory Exhaustion

Module: qs

Published: August 6th, 2014

Reported by: Dustin Shiver

CVE-2014-7191

CWE-730

Vulnerable: <1.0.0
Patched: >= 1.x

Overview

The qs module has the ability to create sparse arrays during parsing. By specifying a high index it is possible to create a large array that will eventually take up all the allocated memory of the running process, resulting in a crash.

Remediation

Update qs to version 1.0.0 or greater

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo