CVE-2017-16026
published 2018-06-04CVE-2017-16026: Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is…
PriorityP431medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
2.63%
83.6th percentile
Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 2.51.0 <=2.67.0.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-request | < node-request 2.88.1-1 (bookworm) | node-request 2.88.1-1 (bookworm) |
| hackerone | request_node_module | — | — |
| request_project | request | <= 2.67.0 | — |
| request_project | request | >= 2.2.6 < 2.47.0 | 2.47.0 |
| request_project | request | >= 2.2.6 < 2.68.0 | 2.68.0 |
| request_project | request | >= 2.49.0 < 2.68.0 | 2.68.0 |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:C/I:N/A:N
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-16026: node-request - Request is an http client. If a request is made using ```multipart```, and the b...
vendor_debian·2017·CVSS 5.9
CVE-2017-16026 [MEDIUM] CVE-2017-16026: node-request - Request is an http client. If a request is made using ```multipart```, and the b...
Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 2.51.0 <=2.67.0.
Scope: local
bookworm: resolved (fixed in 2.88.1-1)
bullseye: resolved (fixed in 2.88.1-1)
Red Hat
nodejs-request: Remote Memory Exposure when a multipart request is made
vendor_redhat·2015-11-16·CVSS 5.9
CVE-2017-16026 [MEDIUM] CWE-201 nodejs-request: Remote Memory Exposure when a multipart request is made
nodejs-request: Remote Memory Exposure when a multipart request is made
Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 2.51.0 <=2.67.0.
Package: nodejs-request (Red Hat Enterprise Linux 8) - Will not fix
Package: nodejs-request (Red Hat Mobile Application Platform 4) - Not affected
Package: nodejs-request (Red Hat OpenShift Enterprise 3) - Not affected
Package: rh-nodejs6-nodejs-request (Red Hat Software Collections) - Not affected
GHSA
Remote Memory Exposure in request
ghsa·2018-11-09
CVE-2017-16026 [MEDIUM] CWE-201 Remote Memory Exposure in request
Remote Memory Exposure in request
Affected versions of `request` will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of `body` is `number`, then a buffer of that size will be allocated and sent to the remote server as the body.
## Proof of Concept
```js
var request = require('request');
var http = require('http');
var serveFunction = function (req, res){
req.on('data', function (data) {
console.log(data)
});
res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);
request({
method: "POST",
uri: 'http://localhost:8000',
multipart: [{body:500}]
},function(err,res,body){});
```
## Recommendation
Update to version 2.68.0 or later
OSV
Remote Memory Exposure in request
osv·2018-11-09
CVE-2017-16026 [MEDIUM] Remote Memory Exposure in request
Remote Memory Exposure in request
Affected versions of `request` will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of `body` is `number`, then a buffer of that size will be allocated and sent to the remote server as the body.
## Proof of Concept
```js
var request = require('request');
var http = require('http');
var serveFunction = function (req, res){
req.on('data', function (data) {
console.log(data)
});
res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);
request({
method: "POST",
uri: 'http://localhost:8000',
multipart: [{body:500}]
},function(err,res,body){});
```
## Recommendation
Update to version 2.68.0 or later
OSV
CVE-2017-16026: Request is an http client
osv·2018-06-04·CVSS 5.9
CVE-2017-16026 [MEDIUM] CVE-2017-16026: Request is an http client
Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 2.51.0 <=2.67.0.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made [fedora-all]
bugzilla·2018-06-07·CVSS 5.9
CVE-2017-16026 [MEDIUM] CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made [fedora-all]
CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
Bugzilla
CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made
bugzilla·2018-06-07·CVSS 5.9
CVE-2017-16026 [MEDIUM] CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made
CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made
A flaw was found in Request >=2.2.6 2.51.0 <=2.67.0. Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.
References:
https://github.com/request/request/issues/1904
https://nodesecurity.io/advisories/309
Patch:
https://github.com/request/request/pull/2018
Discussion:
Created nodejs-request tracking bugs for this issue:
Affects: epel-all [bug 1588834]
Affects: fedora-all [bug 1588836]
---
The current version (2.75.0) of request shipped in Red Hat Software Collections is not affected.
Bugzilla
CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made [epel-all]
bugzilla·2018-06-07·CVSS 5.9
CVE-2017-16026 [MEDIUM] CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made [epel-all]
CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
2018-06-04
Published