{ "schema_version": "1.4.0", "id": "GHSA-g74r-ffvr-5q9f", "modified": "2020-08-31T18:29:17Z", "published": "2019-06-03T17:26:44Z", "aliases": [], "summary": "Memory Exposure in concat-stream", "details": "Versions of `concat-stream` before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into `write()`\n\nVersions <1.3.0 are not affected due to not using unguarded Buffer constructor.\n\n\n\n## Recommendation\n\nUpdate to version 1.5.2, 1.4.11, 1.3.2 or later.\n\nIf you are unable to update make sure user provided input into the `write()` function is not a number.", "severity": [], "affected": [ { "package": { "ecosystem": "npm", "name": "concat-stream" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.5.0" }, { "fixed": "1.5.2" } ] } ] }, { "package": { "ecosystem": "npm", "name": "concat-stream" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.4.0" }, { "fixed": "1.4.11" } ] } ] }, { "package": { "ecosystem": "npm", "name": "concat-stream" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.3.0" }, { "fixed": "1.3.2" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/maxogden/concat-stream/pull/47" }, { "type": "WEB", "url": "https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e" }, { "type": "WEB", "url": "https://gist.github.com/ChALkeR/c2d2fd3f1d72d51ad883df195be03a85" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/597" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2019-06-03T17:26:24Z", "nvd_published_at": null } }