Upgrade superagent to version 3.7.0 or later. For example:
"dependencies": {
"superagent": ">=3.7.0"
}
or…
"devDependencies": {
"superagent": ">=3.7.0"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2017-16129
More information
low severity
Vulnerable versions: < 3.7.0
Patched version: 3.7.0
The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.
Remediation:
Upgrade superagent to version 3.7.0 or later. For example:
"dependencies": { "superagent": ">=3.7.0" }
or…
"devDependencies": { "superagent": ">=3.7.0" }
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2017-16129 More information low severity Vulnerable versions: < 3.7.0 Patched version: 3.7.0
The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.