GMS-2019-26: Remote Memory Exposure in floody

June 4, 2019 (updated August 4, 2021)

Versions of floody are vulnerable to remote memory exposure.

. appending a chunk of uninitialized memory.

Proof of Concept:

var f = require('floody')(process.stdout); 
f.write(USERSUPPLIEDINPUT); 
'f.stop(); ## Recommendation

Update to or later.

References

github.com/advisories/GHSA-3p92-886g-qxpq
github.com/soldair/node-floody/commit/6c44722312131f4ac8a1af40f0f861c85efe01b0
snyk.io/vuln/npm:floody:20160115
www.npmjs.com/advisories/601

Detect and mitigate GMS-2019-26 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →