CVE-2014-4179 — Denial of Service in yar

Description

Versions of `yar` prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value. When an invalid encryped session cookie value is provided, the process will crash. ## Recommendation Update to version 2.2.0 or later.

How to fix CVE-2014-4179

To remediate CVE-2014-4179, upgrade the affected package to a fixed version below.

npm/yar—upgrade to 2.2.0 or later

Is CVE-2014-4179 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2014-4179.

Affected packages (1)

from 0, < 2.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-4179
WEBgithub.com/spumko/yar
WEBgithub.com/spumko/yar/issues/34
WEBwww.npmjs.com/advisories/44