GMS-2019-119: Denial of Service in canvas

June 5, 2019 (updated August 31, 2020)

Versions of canvas prior to 1.6.10 are vulnerable to Denial of Service. Processing malicious JPEGs or GIFs could crash the node process.

Recommendation

Upgrade to version 1.6.10

References

github.com/Automattic/node-canvas/commit/c3e4ccb1c404da01e83fe5eb3626bf55f7f55957
github.com/advisories/GHSA-vpq5-4rc8-c222
hackerone.com/reports/315037
www.npmjs.com/advisories/804

Detect and mitigate GMS-2019-119 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →