Description
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/319532
Scores
CVSS v3
9.1
EPSS
0.0043
EPSS Percentile
62.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-125
CWE-400
Status
published
Products (2)
https-proxy-agent_project/https-proxy-agent
< 2.2.0
npm/https-proxy-agent
0 - 2.2.0npm
Published
Jun 07, 2018
Tracked Since
Feb 18, 2026