CVE-2023-46308
Denial of Service (DoS) vulnerability in plotly/plotly.js (Packagist)
What is CVE-2023-46308 About?
This Denial of Service (DoS) vulnerability affects `http-proxy-middleware` versions before 2.0.7, and 3.0.0 through 3.0.2, due to an `UnhandledPromiseRejection` error. Attackers can crash the Node.js process by making requests to specific paths. Exploitation is easy, requiring crafted HTTP requests.
Affected Software
- plotly/plotly.js
- <2.25.2
- plotly.js
- <2.25.2
Technical Details
The Denial of Service (DoS) vulnerability in http-proxy-middleware versions before 2.0.7 (and 3.0.0 through 3.0.2) is caused by an UnhandledPromiseRejection error thrown by the internal micromatch dependency. This occurs when the http-proxy-middleware processes certain crafted HTTP requests, specifically those targeting unusual or malformed paths that trigger an unhandled rejection within the micromatch pattern matching logic. Because the promise rejection is not caught and handled gracefully, it can lead to the termination of the Node.js process, effectively crashing the server and resulting in a denial of service for all users. The vulnerability exploits a lack of robust error handling for fringe cases in path matching during proxy operations.
What is the Impact of CVE-2023-46308?
Successful exploitation may allow attackers to crash the Node.js application, leading to a denial of service, service unavailability, and potential data loss.
What is the Exploitability of CVE-2023-46308?
Exploitation of this Denial of Service vulnerability is relatively easy, as it involves making HTTP requests to specific, potentially malformed, paths that trigger the UnhandledPromiseRejection. This typically requires low complexity. There are no authentication or privilege requirements; any unauthenticated user capable of sending HTTP requests to the target proxy can attempt the exploit. It is a remote vulnerability. The primary risk factor is the http-proxy-middleware being publicly exposed and processing untrusted request paths without adequate error handling around its internal dependencies like micromatch. Specific conditions are related to the path patterns that trigger the unhandled promise rejection.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-46308?
Available Upgrade Options
- plotly.js
- <2.25.2 → Upgrade to 2.25.2
- plotly/plotly.js
- <2.25.2 → Upgrade to 2.25.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/plotly/plotly.js/releases/tag/v2.25.2
- https://github.com/plotly/plotly.js/commit/5efd2a1f07a418b230a5626fc6c1c7929c47949d
- https://plotly.com/javascript/
- https://github.com/plotly/plotly.js/releases/tag/v2.25.2
- https://nvd.nist.gov/vuln/detail/CVE-2023-46308
- https://plotly.com/javascript
- https://github.com/plotly/plotly.js/commit/02498404c8ad7a3395191e65694fb142a37b0fe9
- https://osv.dev/vulnerability/GHSA-wjc4-73q6-gv3m
- https://github.com/plotly/plotly.js
What are Similar Vulnerabilities to CVE-2023-46308?
Similar Vulnerabilities: CVE-2023-34036 , CVE-2023-34037 , CVE-2023-34038 , CVE-2023-34039 , CVE-2023-34040
