GMS-2020-442: Sensitive Data Exposure in put

September 3, 2020 (updated September 28, 2021)

All versions of put are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects versions of Node.js Upgrade your Node.js version or consider using an alternative package.

References

github.com/advisories/GHSA-v6gv-fg46-h89j
hackerone.com/reports/321702
www.npmjs.com/advisories/1007

Detect and mitigate GMS-2020-442 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →