CVE-2019-10196
Denial of Service vulnerability in http-proxy-agent (npm)
What is CVE-2019-10196 About?
This vulnerability in http-proxy-agent (prior to 2.1.0) allows for Denial of Service and data exposure. It stems from improper sanitization of the 'auth' option, which is then passed to the Buffer constructor. Exploitation is typically easy in specific setups where an attacker can supply input to the 'auth' parameter via typed input.
Affected Software
Technical Details
The flaw exists in http-proxy-agent where the auth option is passed directly to the Node.js Buffer constructor without adequate sanitization. An attacker able to supply crafted input to this auth parameter can trigger a Denial of Service condition by causing the system to consume all available CPU resources. Additionally, this improper handling can lead to data exposure through an uninitialized memory leak, as the Buffer constructor might allocate memory without clearing its contents if the input is malformed in a specific way.
What is the Impact of CVE-2019-10196?
Successful exploitation may allow attackers to disrupt services by consuming all CPU resources, leading to a Denial of Service. It may also lead to the exposure of sensitive data via memory leakage.
What is the Exploitability of CVE-2019-10196?
Exploitation of this vulnerability requires the ability for an attacker to submit typed input to the auth parameter of the http-proxy-agent. This typically implies remote access is possible, potentially without authentication if the input field is publicly exposed or accessible. The complexity appears moderate, as it relies on specific input formatting to trigger the underlying Buffer constructor issues. Prerequisites involve a system configured to use the vulnerable http-proxy-agent and an accessible input mechanism for the auth parameter. There are no explicit privilege requirements mentioned, suggesting it could be exploited by an unprivileged user if input is accepted.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10196?
Available Upgrade Options
- http-proxy-agent
- <2.1.0 → Upgrade to 2.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugzilla.redhat.com/show_bug.cgi?id=1567245
- https://github.com/TooTallNate/node-http-proxy-agent/commit/b7b7cc793c3226aa83f820ce5c277e81862d32eb
- https://www.npmjs.com/advisories/607
- https://www.npmjs.com/advisories/607
- https://bugzilla.redhat.com/show_bug.cgi?id=1567245
- https://nvd.nist.gov/vuln/detail/CVE-2019-10196
- https://osv.dev/vulnerability/GHSA-86wf-436m-h424
What are Similar Vulnerabilities to CVE-2019-10196?
Similar Vulnerabilities: CVE-2022-24434 , CVE-2021-23382 , CVE-2020-15169 , CVE-2019-10775 , CVE-2019-15587
