CVE-2017-16129
denial of service vulnerability in superagent
What is CVE-2017-16129 About?
This is a denial of service (DoS) vulnerability in affected versions of `superagent` caused by a 'ZIP bomb' attack. The library fails to check compressed HTTP response sizes before decompression, allowing a small malicious ZIP file to consume excessive resources. This typically leads to a denial of service and is relatively easy to exploit.
Affected Software
Technical Details
The vulnerability in `superagent` arises because the library does not validate the post-decompression size of HTTP responses that are ZIP compressed before it attempts to decompress them. An attacker can craft a 'ZIP bomb' – a highly compressed file that, when uncompressed, expands to an extremely large size (e.g., gigabytes or terabytes). When a vulnerable `superagent` client attempts to download and automatically decompress such a response, the decompression process will consume excessive CPU, memory, and/or disk resources. This resource exhaustion can lead to the client application, or even the underlying operating system, becoming unresponsive or crashing, thus resulting in a denial of service.
What is the Impact of CVE-2017-16129?
Successful exploitation may allow attackers to cause the client application to exhaust computational resources (CPU, memory, disk), leading to a denial of service and potential system instability.
What is the Exploitability of CVE-2017-16129?
Exploitation of this vulnerability is of low complexity. It requires an attacker to control a server that a vulnerable `superagent` client will make a request to. The attacking server then returns a specially crafted HTTP response containing a ZIP bomb. No authentication is required on the client side, as the vulnerability lies in the client's handling of the response. The attack is remote, as it involves communication between an attacker-controlled server and a vulnerable client. Special conditions include the client making a request to a malicious or compromised endpoint and `superagent` being configured to automatically decompress ZIP-compressed responses. The likelihood of exploitation increases if the client application fetches resources from external, untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16129?
Available Upgrade Options
- superagent
- <3.7.0 → Upgrade to 3.7.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/visionmedia/superagent/issues/1259
- https://github.com/visionmedia/superagent/issues/1259
- https://nvd.nist.gov/vuln/detail/CVE-2017-16129
- https://www.npmjs.com/advisories/479
- https://nodesecurity.io/advisories/479
- https://github.com/advisories/GHSA-8225-6cvr-8pqp
- https://en.wikipedia.org/wiki/Zip_bomb
- https://osv.dev/vulnerability/GHSA-8225-6cvr-8pqp
What are Similar Vulnerabilities to CVE-2017-16129?
Similar Vulnerabilities: CVE-2016-10542 , CVE-2017-12626 , CVE-2018-3721 , CVE-2018-1000537 , CVE-2017-15412
