Large gzip Denial of Servicesuperagent
Affected versions of
superagent do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a ZIP bomb attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.
This may result in unrestrained CPU/Memory/Disk consumption, causing a denial of service condition.
Update to version 3.7.0 or later.
publishedAdvisory publishedSep 26th, 2017
reportedInitial report by Dennis AppeltJul 28th, 2017