Package: node-concat-stream
Version: 1.5.1-1
Severity: grave
Tags: patch security fixed-upstream fixed-in-experimental


concat-stream is writable stream that concatenates strings or binary data and 
calls a callback with the result. Affected versions of the package are 
vulnerable to Uninitialized Memory Exposure.

A possible memory disclosure vulnerability exists when a value of type number 
is provided to the stringConcat() method and results in concatination of 
uninitialized memory to the stream collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure 
default constructor increases the odds of memory leakage.

Attachment: signature.asc
Description: This is a digitally signed message part.

Pkg-javascript-devel mailing list

Reply via email to