isomorphic-fetch/node_modules/node-fetch/lib/index.js
702: function sanitizeValue(value) {
isomorphic-fetch/node_modules/node-fetch/lib/index.js
704: if (checkInvalidHeaderChar(value)) {
isomorphic-fetch/node_modules/node-fetch/lib/index.js
670: function checkInvalidHeaderChar(val) {
isomorphic-fetch/node_modules/node-fetch/lib/index.js
673: var c = val.charCodeAt(0);
isomorphic-fetch/node_modules/node-fetch/lib/index.js
681: for (var i = 3; i < val.length; ++i) {
Risks:
An attacker could provide a very high loop iteration count, causing the loop to go on for prolonged periods of time, potentially causing the application to stop responding. Additionally, if the operation inside the loop is tied to some exhaustible functionality, it may cause bloat elsewhere; For example - if file writes occur inside the loop, then an attacker can cause that file to bloat by simply engaging this file writing capability a very high amount of times.
The application relied on a user-provided value to determine the number of iterations performed by a loop, without enforcing a limited range for this value.
Risks:
Sending data over the network is inherently risky, unless the communication channel is protected using a secured protocol. This is especially true for mobile devices that are often connected to non-secure networks and untrusted hotspots. An attacker can easily eavesdrop on the information being sent over the air, and even manipulate the data in some scenarios.
Thus, an attacker could steal any personal or secret data sent over unencrypted HTTP, such as passwords, credit card details, social security numbers, and other forms of PII (Personally Identifiable Information), leading to identity theft and other forms of fraud. Additionally, it may be possible for an active attacker to alter the data and inject false or malicious data, causing further damage to the application server or the client app.
The app handles various forms of sensitive data, and communicates with the remote application server. However, the app connects using an ""http://"" URL, which will cause the underlying channel to use straight HTTP, without securing it with SSL/TLS.
Affected files: isomorphic-fetch/node_modules/node-fetch/lib/index.js
1327: headers.set('location', resolve_url(request.url, headers.get('location')));isomorphic-fetch/node_modules/node-fetch/lib/index.js
827: set(name, value) {isomorphic-fetch/node_modules/node-fetch/lib/index.js
828: this[MAP][sanitizeName(name)] = [sanitizeValue(value)];isomorphic-fetch/node_modules/node-fetch/lib/index.js
702: function sanitizeValue(value) {isomorphic-fetch/node_modules/node-fetch/lib/index.js
704: if (checkInvalidHeaderChar(value)) {isomorphic-fetch/node_modules/node-fetch/lib/index.js
670: function checkInvalidHeaderChar(val) {isomorphic-fetch/node_modules/node-fetch/lib/index.js
673: var c = val.charCodeAt(0);isomorphic-fetch/node_modules/node-fetch/lib/index.js
681: for (var i = 3; i < val.length; ++i) {Risks: An attacker could provide a very high loop iteration count, causing the loop to go on for prolonged periods of time, potentially causing the application to stop responding. Additionally, if the operation inside the loop is tied to some exhaustible functionality, it may cause bloat elsewhere; For example - if file writes occur inside the loop, then an attacker can cause that file to bloat by simply engaging this file writing capability a very high amount of times.
The application relied on a user-provided value to determine the number of iterations performed by a loop, without enforcing a limited range for this value.
Affected files: isomorphic-fetch/node_modules/node-fetch/test/test.js
43: url = 'http://example.com/';isomorphic-fetch/node_modules/node-fetch/test/test.js
44: var p = fetch(url)isomorphic-fetch/node_modules/node-fetch/test/test.js
50: url = 'http://example.com/';isomorphic-fetch/node_modules/node-fetch/test/test.js
54: expect(fetch(url)).to.not.be.an.instanceof(bluebird);isomorphic-fetch/node_modules/node-fetch/test/test.js
50: url = 'http://example.com/';isomorphic-fetch/node_modules/node-fetch/test/test.js
53: expect(fetch(url)).to.be.an.instanceof(then);isomorphic-fetch/node_modules/node-fetch/test/test.js
90: url = 'http://localhost:50000/';isomorphic-fetch/node_modules/node-fetch/test/test.js
91: return expect(fetch(url)).to.eventually.be.rejectedisomorphic-fetch/node_modules/node-fetch/test/test.js
417: url = 'http://domain.invalid';isomorphic-fetch/node_modules/node-fetch/test/test.js
418: return expect(fetch(url)).to.eventually.be.rejectedRisks: Sending data over the network is inherently risky, unless the communication channel is protected using a secured protocol. This is especially true for mobile devices that are often connected to non-secure networks and untrusted hotspots. An attacker can easily eavesdrop on the information being sent over the air, and even manipulate the data in some scenarios.
Thus, an attacker could steal any personal or secret data sent over unencrypted HTTP, such as passwords, credit card details, social security numbers, and other forms of PII (Personally Identifiable Information), leading to identity theft and other forms of fraud. Additionally, it may be possible for an active attacker to alter the data and inject false or malicious data, causing further damage to the application server or the client app.
The app handles various forms of sensitive data, and communicates with the remote application server. However, the app connects using an ""http://"" URL, which will cause the underlying channel to use straight HTTP, without securing it with SSL/TLS.