search

Unleash / unleash-client-node

Unleash client SDK for Node.js
https://docs.getunleash.io
Apache License 2.0
212 stars 71 forks source link

Security Vulnerability: http-cache-semantics vulnerable to Regular Expression Denial of Service #521

Closed juniorp07 closed 12 months ago

juniorp07 commented 1 year ago

Description:

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. Http-cache-semantics is a dependency stemming from make-fetch-happen@10.2.1

https://github.com/advisories/GHSA-rc47-6667-2]5j

Remediation:

Upgrade http-cache-semantics to version 4.1.1 or above.

thomasheartman commented 12 months ago

Thanks for reporting this! We'll look into it asap. And I believe the link to the advisory board should have been https://github.com/advisories/GHSA-rc47-6667-2j5j (there was a ] that should have been a j).

gardleopard commented 12 months ago

This was fixed in commit https://github.com/Unleash/unleash-client-node/commit/7ebda1a999017aa38b45e48a0e8bc5ea73da0920

We pin http-cache-semantics to version 4.1.1