Comments (10)
ctcpip
commented on April 28, 2024
1
good news! the memory leak is NOT present in 2.6.9. PoC here: https://stackblitz.com/edit/stackblitz-starters-dhsr9k?file=index.js
if you run the app there and open up your browser dev tools memory profiler, you'll see that there is no leak. (on my machine total heap was in the 100s of MB)
if you want to reproduce the leak there, then npm i [email protected] and then run it again. you'll see the heap go up and up
from body-parser.
UlisesGascon
commented on April 28, 2024
Thanks for reporting @MandeeGit, but I was not able to find this reference. What software do you use?
I checked against Snyk and Socket.dev:
- https://security.snyk.io/package/npm/debug/2.6.9
- https://security.snyk.io/package/npm/body-parser
- https://socket.dev/npm/package/body-parser/overview/1.20.2
from body-parser.
MandeeGit
commented on April 28, 2024
@UlisesGascon I am using Check Marx. By default it is listing in my package-lock.json. Unable to override it.
from body-parser.
UlisesGascon
commented on April 28, 2024
Yes, @MandeeGit. [email protected] is included with body-parser, but I can't see any direct vulnerability associated
No direct vulnerabilities have been found for this package in Snyk’s vulnerability database. This does not include vulnerabilities belonging to this package’s dependencies. Snyk [email protected]
Same results on Socket.dev. Do you have any CVE associated?
AFAIK we are not planning to update to [email protected] yet.
from body-parser.
MandeeGit
commented on April 28, 2024
Please find CWE below @UlisesGascon
CWE - 401 and CWE 1333
from body-parser.
wesleytodd
commented on April 28, 2024
@MandeeGit A screenshot of a page is not enough for us to act on. We don't see any reported CVE's on any of the normal platforms and your screenshot is not enough to understand or remediate the issue. If it is not just a false positive on that platform please have them reach out (or do so yourself) with a security report so we can address it.
from body-parser.
ctcpip
commented on April 28, 2024
false positive with Checkmarx
it's referencing:
and
debug-js/debug#678 (which I can't find any CVE for)
edit: the memory leak may be a valid vulnerability... but there is no patch the memory leak was fixed here: debug-js/debug#740 in version 4.3.0
from body-parser.
wesleytodd
commented on April 28, 2024
Ok, I am going to close this
from body-parser.
ctcpip
commented on April 28, 2024
edited my above comment, but the memory leak was patched in 4.3.0 and was not backported
from body-parser.
ctcpip
commented on April 28, 2024
worth noting that express itself pulls in the same version of debug
from body-parser.
Related Issues (20)
- bodyParser is deprecated, error HOT 1
- bodyparser.json() shown as deprecated? (question) HOT 7
- pass options to qs thru urlencoded? HOT 4
- Cannot catch SyntaxError when user provides invalid JSON in body and content-type: application/json HOT 3
- Support for content-encoding: deflate raw HOT 7
- req.body could not be accessed when send as form data, but works fine with JSON HOT 3
- Pass custom parameters to `qs` HOT 3
- Update iconv-lite to latest 0.6.3 HOT 7
- support for ndjson
- Regular Expression Denial of Service (ReDoS) in [email protected] HOT 3
- Update `debug` dependency (memory leak leading to vulnerability) HOT 1
- api calls made with invalid json HOT 5
- Add support for removing body parser limit HOT 8
- BadRequestError: request size did not match content length HOT 7
- How to handle content-type mismatch? HOT 1
- CVE-2017-20165 - debug HOT 2
- Issue HOT 1
- fails silently if the json has extra whitespace HOT 2
- json middleware does not work on content types with a `+` HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from body-parser.