Miggo Logo

CVE-2020-8175: Uncontrolled resource consumption in jpeg-js

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.70629%
Published
7/27/2020
Updated
9/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
jpeg-jsnpm< 0.4.00.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing resource controls in two key areas: 1) The parse() function didn't validate() image dimensions against a maximum resolution limit (maxResolutionInMP), allowing giant image processing. 2) Memory allocations for decoding structures (blocks, DCT tables, Huffman tables) lacked tracking/limiting mechanisms (via requestMemoryAllocation). The commit 135705b explicitly added these safeguards in the parse() function and allocation points, confirming these were the vulnerable areas pre-0.4.0.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Un*ontroll** r*sour** *onsumption in `jp**-js` ***or* *.*.* m*y *llow *tt**k*r to l*un** **ni*l o* s*rvi** *tt**ks usin* sp**i*lly * *r**t** JP** im***.

Reasoning

T** vuln*r**ility st*mm** *rom missin* r*sour** *ontrols in two k*y *r**s: *) T** `p*rs*()` *un*tion *i*n't `v*li**t*()` im*** *im*nsions ***inst * m*ximum r*solution limit (m*xR*solutionInMP), *llowin* *i*nt im*** pro**ssin*. *) M*mory *llo**tions *