CVE-2024-21523: images vulnerable to Denial of Service
All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions. This makes it possible to reach an assert macro, leading to a process crash.
Note: By providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash.
References
- gist.github.com/dellalibera/8b4ea6b4db84cba212e6e6e39a6933d1
- github.com/advisories/GHSA-vjpv-x8p9-7p85
- github.com/zhangyuanwei/node-images
- github.com/zhangyuanwei/node-images/blob/691d49f4e620b4eec9f1c47b1735841d9d8b55f6/src/Image.cc
- nvd.nist.gov/vuln/detail/CVE-2024-21523
- security.snyk.io/vuln/SNYK-JS-IMAGES-6421826
Detect and mitigate CVE-2024-21523 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →