CVE-2017-16025: Denial of Service in nes
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57825%
CWE
Published
7/24/2018
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:N/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
nes | npm | <= 6.4.0 | 6.4.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the cookie parsing logic in the _authenticate
method. The original code (pre-6.4.1) used a callback that ignored parsing errors (ignoreErr
parameter), proceeding to access state[config.cookie]
even when parsing failed. The commit 249ba17
fixed this by adding error handling to the cookie parsing callback. The stack trace in GitHub issue #171 directly points to line 540 in socket.js
where the unhandled null state access occurs, confirming this function's role in the vulnerability.