Impact
In detect-character-encoding v0.3.0 and earlier, allocated memory is not released.
Patches
The problem has been patched in detect-character-encoding v0.3.1.
CVSS score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C
Base Score: 7.5 (High)
Temporal Score: 7.2 (High)
Since detect-character-encoding is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, using detect-character-encoding in a program accessible over the internet which becomes unavailable when running out of memory. Depending on your specific implementation, the vulnerability’s severity in your program may be different.
Proof of concept
const express = require("express");
const detectCharacterEncoding = require("detect-character-encoding");
const app = express();
app.get("/", (req, res) => {
detectCharacterEncoding(Buffer.from("foo"));
res.end();
});
app.listen(3000);hey -n 1000000 http://localhost:3000 (hey) causes the Node.js process to consume more and more memory.
References
Impact
In detect-character-encoding v0.3.0 and earlier, allocated memory is not released.
Patches
The problem has been patched in detect-character-encoding v0.3.1.
CVSS score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C
Base Score: 7.5 (High)
Temporal Score: 7.2 (High)
Since detect-character-encoding is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, using detect-character-encoding in a program accessible over the internet which becomes unavailable when running out of memory. Depending on your specific implementation, the vulnerability’s severity in your program may be different.
Proof of concept
hey -n 1000000 http://localhost:3000(hey) causes the Node.js process to consume more and more memory.References