Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2017-16129

UNKNOWN
Published 2018-06-07T02:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-16129. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

superagent node module

Affected Versions:

<3.7.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

superagent vulnerable to zip bomb attacks

GHSA-8225-6cvr-8pqp

Advisory Details

Affected versions of `superagent` do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a [ZIP bomb](https://en.wikipedia.org/wiki/Zip_bomb) attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed. This may result in unrestrained CPU/Memory/Disk consumption, causing a denial of service condition. ## Recommendation Update to version 3.7.0 or later.

Affected Packages

npm superagent
ECOSYSTEM: ≥0 <3.7.0

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-16129
WEB https://github.com/visionmedia/superagent/issues/1259
WEB https://en.wikipedia.org/wiki/Zip_bomb
ADVISORY https://github.com/advisories/GHSA-8225-6cvr-8pqp
WEB https://www.npmjs.com/advisories/479

Advisory provided by GitHub Security Advisory Database. Published: August 9, 2018, Modified: September 8, 2023

References

https://nodesecurity.io/advisories/479
https://github.com/visionmedia/superagent/issues/1259
Published: 2018-06-07T02:00:00Z
Last Modified: 2024-09-16T19:04:07.190Z
Copied to clipboard!