Fix CVE–2019–10196

[debricked]

CVE–2019–10196

Vulnerability details

Description

Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

NVD

A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

GitHub

Resource Exhaustion Denial of Service in http-proxy-agent

A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    Resource Exhaustion Denial of Service in http-proxy-agent · CVE-2019-10196 · GitHub Advisory Database · GitHub
    NVD - CVE-2019-10196
    1567245 – (CVE-2019-10196) CVE-2019-10196 nodejs-http-proxy-agent: Denial of Service and data leak due to improper buffer sanitization
    Denial of Service in http-proxy-agent · GHSA-8w57-jfpm-945m · GitHub Advisory Database · GitHub
    Use Buffer.from() · TooTallNate/node-http-proxy-agent@b7b7cc7 · GitHub
    node-http-proxy-agent/index.js at 2.0.0 · TooTallNate/node-http-proxy-agent · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE