GMS-2019-18: Memory Exposure in concat-stream

June 3, 2019 (updated May 23, 2022)

Versions of concat-stream is vulnerable to memory exposure if userp provided input is passed into write()

are not affected due to not using unguarded Buffer constructor. Update to or later.

If you are unable to update make sure user provided input into the write() function is not a number.

References

gist.github.com/ChALkeR/c2d2fd3f1d72d51ad883df195be03a85
github.com/advisories/GHSA-g74r-ffvr-5q9f
github.com/maxogden/concat-stream/pull/47
github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
nodesecurity.io/advisories/597
www.npmjs.com/advisories/597

Detect and mitigate GMS-2019-18 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →