Vulnerability Details : CVE-2017-16026
Potential exploit
Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.
Vulnerability category: Input validation
Products affected by CVE-2017-16026
- cpe:2.3:a:request_project:request:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:request_project:request:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-16026
1.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-16026
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.1
|
HIGH | AV:N/AC:M/Au:N/C:C/I:N/A:N |
8.6
|
6.9
|
NIST | |
|
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2017-16026
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Assigned by: support@hackerone.com (Secondary)
References for CVE-2017-16026
-
https://nodesecurity.io/advisories/309
npmExploit;Third Party Advisory
-
https://github.com/request/request/pull/2018
Fix remote memory disclosure with multipart attachments by feross · Pull Request #2018 · request/request · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://github.com/request/request/issues/1904
first argument must be a string of Buffer · Issue #1904 · request/request · GitHubExploit;Issue Tracking;Third Party Advisory
Jump to