Headline
CVE-2023-2968: Undefined variable usage in npm proxy leads to remote denial of service | XRAY-520917
A remote attacker can trigger a denial of service in the socket.remoteAddress variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.
CVE-2023-2968 | CVSS 7.5
JFrog Severity:high
Discovered ByOri Hollanderof the JFrog Security Research Team
Published 30 May, 2023 | Last updated 30 May, 2023
Undefined variable usage in npm package “proxy” leads to remote denial of service
proxy
(,2.1.1), Fixed in 2.1.1
A remote attacker can trigger a denial of service in the socket.remoteAddress variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.
The following simple program is vulnerable to this issue -
import * as http from 'http';
import { createProxy } from 'proxy';
const server = createProxy(http.createServer());
server.listen(31285, () => {
var port = server.address().port;
console.log('HTTP(s) proxy server listening on port %d',
port);
});
An attacker can crash the program by sending a valid HTTP GET request followed by invalid tail data
No mitigations are supplied for this issue
No references are supplied for this issue
Related news
A remote attacker can trigger a denial of service in the `socket.remoteAddress` variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.