CVE-2019-10196
CRITICALhttp-proxy-agent < 2.1.0 - Denial of Service and Data Exposure via Auth Parameter
Title source: llmDescription
A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
References (2)
Core 2
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1567245
Third Party Advisory x_refsource_misc
https://www.npmjs.com/advisories/607
Scores
CVSS v3
9.8
EPSS
0.0139
EPSS Percentile
68.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-665
Status
published
Products (5)
fedoraproject/fedora
27
http-proxy-agent_project/http-proxy-agent
< 2.1.0
npm/http-proxy-agent
0 - 2.1.0npm
redhat/enterprise_linux
7.0
redhat/software_collections
Published
Mar 19, 2021
Tracked Since
Feb 18, 2026