CVE-2017-16026
Information Disclosure vulnerability in request (npm)
What is CVE-2017-16026 About?
This information disclosure vulnerability in the `request` package can disclose local system memory to remote systems under specific multipart request conditions. When a multipart request uses a numeric body type, a buffer of that size is allocated and sent. Exploitation is of moderate complexity, requiring specific request crafting.
Affected Software
- request
- >2.49.0, <2.68.0
- >2.2.6, <2.68.0
Technical Details
Affected versions of the request package are vulnerable to information disclosure. When a multipart request is constructed, and the body field within one of the multipart parts is set to a number type, the request library incorrectly interprets this number as the size of a buffer to allocate. Instead of sending an empty body or handling the numeric input properly, it allocates a buffer of the specified size and sends the uninitialized (or potentially previously used) memory contents of that buffer to the remote server. This can result in sensitive local system memory being leaked to a remote attacker.
What is the Impact of CVE-2017-16026?
Successful exploitation may allow attackers to remotely gain access to arbitrary contents of the local system's memory, potentially leading to disclosure of sensitive data, credentials, or other critical internal information.
What is the Exploitability of CVE-2017-16026?
Exploitation is of moderate complexity, requiring an attacker to be able to dictate the structure of a multipart request processed by the vulnerable request package. This typically involves remote access, where the attacker sends a malicious request to a server using the vulnerable component, or tricks a client using the component into making a malicious request. No specific authentication is required at the point of exploit, beyond the ability to send a crafted request. The prerequisite is that the application uses the request library and constructs multipart requests allowing the 'body' property to be a number. Risk factors include applications that accept user-controlled data for structuring multipart requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16026?
Available Upgrade Options
- request
- >2.2.6, <2.68.0 → Upgrade to 2.68.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/request/request/pull/2022
- https://nvd.nist.gov/vuln/detail/CVE-2017-16026
- https://github.com/request/request
- https://github.com/request/request/issues/1904
- https://github.com/request/request/issues/1904
- https://github.com/request/request/commit/29d81814bc16bc79cb112b4face8be6fc00061dd
- https://github.com/request/request/pull/2018
- https://osv.dev/vulnerability/GHSA-7xfp-9c55-5vqj
- https://github.com/request/request/pull/2018
- https://nodesecurity.io/advisories/309
What are Similar Vulnerabilities to CVE-2017-16026?
Similar Vulnerabilities: CVE-2016-10750 , CVE-2021-22923 , CVE-2021-43845 , CVE-2022-24756 , CVE-2023-22809
