Closed mend-for-github-com[bot] closed 4 years ago
Base64 encode, decode, escape and unescape for URL applications
Library home page: https://registry.npmjs.org/base64-url/-/base64-url-1.2.1.tgz
Path to dependency file: /tmp/ws-scm/cla-bot/package.json
Path to vulnerable library: /tmp/ws-scm/cla-bot/node_modules/base64-url/package.json
Dependency Hierarchy: - express-3.20.3.tgz (Root Library) - connect-2.29.2.tgz - csurf-1.7.0.tgz - csrf-2.0.7.tgz - :x: **base64-url-1.2.1.tgz** (Vulnerable Library)
Found in HEAD commit: 728af6547d8b346b13cb8e7fe8c30e8a0df3cbeb
Versions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input.
Publish Date: 2018-05-16
URL: WS-2018-0111
Base Score Metrics not available
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/660
Release Date: 2018-01-27
Fix Resolution: 2.0.0
WS-2018-0111 - High Severity Vulnerability
Vulnerable Library - base64-url-1.2.1.tgz
Base64 encode, decode, escape and unescape for URL applications
Library home page: https://registry.npmjs.org/base64-url/-/base64-url-1.2.1.tgz
Path to dependency file: /tmp/ws-scm/cla-bot/package.json
Path to vulnerable library: /tmp/ws-scm/cla-bot/node_modules/base64-url/package.json
Dependency Hierarchy: - express-3.20.3.tgz (Root Library) - connect-2.29.2.tgz - csurf-1.7.0.tgz - csrf-2.0.7.tgz - :x: **base64-url-1.2.1.tgz** (Vulnerable Library)
Found in HEAD commit: 728af6547d8b346b13cb8e7fe8c30e8a0df3cbeb
Vulnerability Details
Versions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input.
Publish Date: 2018-05-16
URL: WS-2018-0111
CVSS 2 Score Details (8.6)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/660
Release Date: 2018-01-27
Fix Resolution: 2.0.0