CVE-2024-21526: speaker vulnerable to Denial of Service

July 10, 2024

All versions of the package speaker are vulnerable to Denial of Service (DoS) when providing unexpected input types to the channels property of the Speaker object makes it possible to reach an assert macro. Exploiting this vulnerability can lead to a process crash.

References

github.com/TooTallNate/node-speaker
github.com/TooTallNate/node-speaker/blob/316afff5a393fce438cf7296011fcfc6e12aa9dc/src/binding.c
github.com/advisories/GHSA-w5fc-gj3h-26rx
nvd.nist.gov/vuln/detail/CVE-2024-21526
security.snyk.io/vuln/SNYK-JS-SPEAKER-6370676

Detect and mitigate CVE-2024-21526 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →