5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16026

GHSA ID

GHSA-7xfp-9c55-5vqj

EPSS Score

0.78318%

CWE

CWE-201

Published

11/9/2018

Updated

9/12/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16026

CVE-2017-16026: Remote Memory Exposure in request

Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
	req.on('data', function (data) {
            console.log(data)
        });
	res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
	method: "POST",
	uri: 'http://localhost:8000',
	multipart: [{body:500}]
},function(err,res,body){});

Recommendation

Update to version 2.68.0 or later

(GitHub Advisory)

5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16026

GHSA ID

GHSA-7xfp-9c55-5vqj

EPSS Score

0.78318%

CWE

CWE-201

Published

11/9/2018

Updated

9/12/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
request	npm	>= 2.49.0, < 2.68.0	2.68.0
request	npm	>= 2.2.6, < 2.47.0	2.68.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how multipart body parts were handled when the body type was a number. The unpatched add function in lib/multipart.js passed numeric values directly to 'new Buffer(part)', creating a buffer of uninitialized memory of the specified size. The commit diff shows this was fixed by adding a type check and string conversion for numeric values. The PoC demonstrates this by sending {body:500}, which would trigger the vulnerable code path. The function's direct buffer allocation without sanitizing numeric input matches the described vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `r*qu*st` will *is*los* lo**l syst*m m*mory to r*mot* syst*ms in **rt*in *ir*umst*n**s. W**n * multip*rt r*qu*st is m***, *n* t** typ* o* `*o*y` is `num**r`, t**n * *u***r o* t**t siz* will ** *llo**t** *n* s*nt to t** r*mot* s*r

Reasoning

T** vuln*r**ility st*ms *rom *ow multip*rt *o*y p*rts w*r* **n*l** w**n t** *o*y typ* w*s * num**r. T** unp*t**** `***` *un*tion in `li*/multip*rt.js` p*ss** num*ri* v*lu*s *ir**tly to 'n*w *u***r(p*rt)', *r**tin* * *u***r o* uniniti*liz** m*mory o*

5.9

Basic Information

Concerned about an active attack path?

CVE-2017-16026: Remote Memory Exposure in request

Proof of Concept

Recommendation

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI