NodeJS/concat-stream/1.4.10
writable stream that concatenates strings or binary data and calls a callback with the result
https://www.npmjs.com/package/concat-stream
MIT
2 Security Vulnerabilities
Memory Exposure in concat-stream
- https://github.com/maxogden/concat-stream/pull/47
- https://github.com/advisories/GHSA-g74r-ffvr-5q9f
- https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
- https://gist.github.com/ChALkeR/c2d2fd3f1d72d51ad883df195be03a85
- https://nodesecurity.io/advisories/597
- https://www.npmjs.com/advisories/597
Versions of concat-stream
before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()
Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
Recommendation
Update to version 1.5.2, 1.4.11, 1.3.2 or later.
If you are unable to update make sure user provided input into the write()
function is not a number.
Memory Exposure
.write(number) in the affected concat-stream
versions passes a number to Buffer constructor, appending a chunk of uninitialized memory. Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
37 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.0.1 | MIT | 2012-08-03 - 01:41 | almost 12 years | |
0.0.2 | MIT | 2012-08-03 - 02:12 | almost 12 years | |
0.0.3 | MIT | 2012-08-03 - 03:24 | almost 12 years | |
0.0.4 | MIT | 2012-08-03 - 03:35 | almost 12 years | |
0.0.5 | MIT | 2012-08-03 - 03:54 | almost 12 years | |
0.0.6 | MIT | 2012-08-03 - 03:56 | almost 12 years | |
0.0.7 | MIT | 2012-08-03 - 22:23 | over 11 years | |
0.0.8 | MIT | 2012-08-04 - 20:32 | over 11 years | |
0.0.9 | MIT | 2012-09-10 - 06:21 | over 11 years | |
0.1.0 | MIT | 2012-09-10 - 19:05 | over 11 years | |
0.1.1 | MIT | 2013-01-26 - 19:28 | over 11 years | |
1.0.0 | MIT | 2013-05-23 - 10:34 | almost 11 years | |
1.1.0 | MIT | 2013-10-28 - 12:38 | over 10 years | |
1.2.0 | MIT | 2013-11-15 - 15:46 | over 10 years | |
1.4.6 | MIT | 2 | 2014-06-02 - 20:58 | almost 10 years |
1.2.1 | MIT | 2013-12-02 - 23:14 | over 10 years | |
1.3.0 | MIT | 2 | 2013-12-28 - 19:20 | over 10 years |
1.3.1 | MIT | 2 | 2013-12-28 - 21:11 | over 10 years |
1.4.0 | MIT | 2 | 2014-01-02 - 19:57 | over 10 years |
1.4.1 | MIT | 2 | 2014-01-06 - 06:35 | over 10 years |
1.4.2 | MIT | 2 | 2014-03-05 - 18:24 | about 10 years |
1.4.3 | MIT | 2 | 2014-03-05 - 21:51 | about 10 years |
1.4.4 | MIT | 2 | 2014-03-12 - 16:23 | about 10 years |
1.4.5 | MIT | 2 | 2014-04-15 - 02:32 | about 10 years |
1.3.2 | MIT | 2018-03-01 - 13:15 | about 6 years | |
1.4.7 | MIT | 2 | 2014-11-27 - 18:35 | over 9 years |
1.4.8 | MIT | 2 | 2015-04-04 - 00:15 | about 9 years |
1.4.10 | MIT | 2 | 2015-06-10 - 18:44 | almost 9 years |
1.5.0 | MIT | 2 | 2015-06-17 - 04:36 | almost 9 years |
1.5.1 | MIT | 2 | 2015-10-18 - 22:10 | over 8 years |
1.5.2 | MIT | 2016-09-01 - 07:33 | over 7 years | |
1.6.0 | MIT | 2016-12-19 - 15:44 | over 7 years | |
1.4.11 | MIT | 2018-03-01 - 13:14 | about 6 years | |
2.0.0 | MIT | 2018-12-21 - 14:22 | over 5 years | |
1.6.1 | MIT | 2018-03-01 - 14:35 | about 6 years | |
1.6.2 | MIT | 2018-03-21 - 15:17 | about 6 years | |
1.0.1 | BSD | 2013-08-17 - 04:19 | over 10 years |