GMS-2019-61: Memory Exposure in tunnel-agent

June 3, 2019 (updated August 4, 2021)

Versions of tunnel-agent are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Proof-of-concept:

require('request')({
 method: 'GET',
 uri: 'http://www.example.com',
 tunnel: true,
 proxy:{
 protocol: 'http:',
 host:'127.0.0.1',
 port:8080,
 auth:USERSUPPLIEDINPUT // number
 }
});
``` Update to or later.

References

gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4
github.com/advisories/GHSA-xc7v-wxcw-j472
github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0
www.npmjs.com/advisories/598

Detect and mitigate GMS-2019-61 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →