@stablelib/cbor DoS Vulnerability - Deeply Nested CBOR
Plattform
nodejs
Komponente
@stablelib/cbor
Behoben in
2.0.3
GHSA-5jg4-p4qw-cgfr describes a Denial of Service (DoS) vulnerability affecting the `@stablelib/cbor` package. The vulnerability arises from the package's recursive decoding of nested CBOR structures without enforcing a maximum nesting depth. By providing a sufficiently deep, attacker-controlled CBOR payload, a threat actor can crash the decoding process, leading to a `RangeError: Maximum call stack size exceeded` error. This issue is resolved in version 2.0.3.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is GHSA-5jg4-p4qw-cgfr?
GHSA-5jg4-p4qw-cgfr is a Denial of Service (DoS) vulnerability in the @stablelib/cbor package that occurs due to unbounded recursion when decoding deeply nested CBOR structures.
Am I affected by GHSA-5jg4-p4qw-cgfr?
You are affected if you are using a version of @stablelib/cbor prior to 2.0.3 and processing CBOR data from untrusted sources. Attackers can craft malicious CBOR payloads to crash your application.
How do I fix GHSA-5jg4-p4qw-cgfr?
Upgrade to @stablelib/cbor version 2.0.3 or later. This version includes a fix that prevents the unbounded recursion and mitigates the Denial of Service vulnerability.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten