CVE-2019-10196 — Resource Exhaustion Denial of Service in http-proxy-agent

Description

A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

How to fix CVE-2019-10196

To remediate CVE-2019-10196, upgrade the affected package to a fixed version below.

—upgrade to 2.1.0 or later

Is CVE-2019-10196 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10196
WEBbugzilla.redhat.com/show_bug.cgi?id=1567245
WEBgithub.com/TooTallNate/node-http-proxy-agent/commit/b7b7cc793c3226aa83f820ce5c277e81862d32eb
WEBwww.npmjs.com/advisories/607