NodeJS/concat-stream/1.5.1

writable stream that concatenates strings or binary data and calls a callback with the result

https://www.npmjs.com/package/concat-stream
MIT

2 Security Vulnerabilities

Memory Exposure in concat-stream

Published date: 2019-06-03T17:26:44Z
Links:

Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()

Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.

Recommendation

Update to version 1.5.2, 1.4.11, 1.3.2 or later.

If you are unable to update make sure user provided input into the write() function is not a number.

Affected versions: ["1.3.0", "1.3.1", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.10", "1.5.0", "1.5.1"]
Secure versions: [0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.5.2, 1.6.0, 1.4.11, 1.3.2, 1.6.1, 1.6.2, 2.0.0]
Recommendation: Update to version 2.0.0.

Memory Exposure

Published date: 2016-08-19
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
Links:

.write(number) in the affected concat-stream versions passes a number to Buffer constructor, appending a chunk of uninitialized memory. Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.

Affected versions: ["1.3.0", "1.3.1", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.10", "1.5.0", "1.5.1"]
Secure versions: [0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.5.2, 1.6.0, 1.4.11, 1.3.2, 1.6.1, 1.6.2, 2.0.0]
Recommendation: update concat-stream to 1.5.2 or higher

37 Other Versions

Version License Security Released
2.0.0 MIT 2018-12-21 - 14:22 over 5 years
1.6.2 MIT 2018-03-21 - 15:17 about 6 years
1.6.1 MIT 2018-03-01 - 14:35 about 6 years
1.6.0 MIT 2016-12-19 - 15:44 over 7 years
1.5.2 MIT 2016-09-01 - 07:33 over 7 years
1.5.1 MIT 2 2015-10-18 - 22:10 over 8 years
1.5.0 MIT 2 2015-06-17 - 04:36 almost 9 years
1.4.11 MIT 2018-03-01 - 13:14 about 6 years
1.4.10 MIT 2 2015-06-10 - 18:44 almost 9 years
1.4.8 MIT 2 2015-04-04 - 00:15 about 9 years
1.4.7 MIT 2 2014-11-27 - 18:35 over 9 years
1.4.6 MIT 2 2014-06-02 - 20:58 almost 10 years
1.4.5 MIT 2 2014-04-15 - 02:32 about 10 years
1.4.4 MIT 2 2014-03-12 - 16:23 about 10 years
1.4.3 MIT 2 2014-03-05 - 21:51 about 10 years
1.4.2 MIT 2 2014-03-05 - 18:24 about 10 years
1.4.1 MIT 2 2014-01-06 - 06:35 over 10 years
1.4.0 MIT 2 2014-01-02 - 19:57 over 10 years
1.3.2 MIT 2018-03-01 - 13:15 about 6 years
1.3.1 MIT 2 2013-12-28 - 21:11 over 10 years
1.3.0 MIT 2 2013-12-28 - 19:20 over 10 years
1.2.1 MIT 2013-12-02 - 23:14 over 10 years
1.2.0 MIT 2013-11-15 - 15:46 over 10 years
1.1.0 MIT 2013-10-28 - 12:38 over 10 years
1.0.1 BSD 2013-08-17 - 04:19 over 10 years
1.0.0 MIT 2013-05-23 - 10:34 almost 11 years
0.1.1 MIT 2013-01-26 - 19:28 about 11 years
0.1.0 MIT 2012-09-10 - 19:05 over 11 years
0.0.9 MIT 2012-09-10 - 06:21 over 11 years
0.0.8 MIT 2012-08-04 - 20:32 over 11 years
0.0.7 MIT 2012-08-03 - 22:23 over 11 years
0.0.6 MIT 2012-08-03 - 03:56 over 11 years
0.0.5 MIT 2012-08-03 - 03:54 over 11 years
0.0.4 MIT 2012-08-03 - 03:35 over 11 years
0.0.3 MIT 2012-08-03 - 03:24 over 11 years
0.0.2 MIT 2012-08-03 - 02:12 over 11 years
0.0.1 MIT 2012-08-03 - 01:41 over 11 years