Miggo Logo
Miggo Vulnerability Database
GHSA-57cf-349j-352g

GHSA-57cf-349j-352g: Out-of-bounds Read in npmconf

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-57cf-349j-352g
EPSS Score
-
CWE
CWE-125
Published
6/12/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
npmconfnpm< 2.1.32.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe Buffer initialization when processing numeric input in Node.js 4.x. Since npmconf handles configuration serialization, the save method in its Config class is the most probable location where data gets written to disk. The description explicitly calls out numeric type handling and uninitialized memory exposure, which aligns with deprecated new Buffer(size) usage. While the exact code changes aren't visible, the pattern matches known Buffer-related vulnerabilities fixed by replacing new Buffer() with Buffer.alloc().

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `npm*on*` ***or* *.*.* *llo**t* *n* writ* to *isk uniniti*liz** m*mory *ont*nts w**n * typ** num**r is p*ss** *s input on No**.js *.x. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r. *onsi**r swit**in* to *not**r *on*i* stor*** m**

Reasoning

T** vuln*r**ility st*ms *rom uns*** *u***r initi*liz*tion w**n pro**ssin* num*ri* input in No**.js *.x. Sin** npm*on* **n*l*s *on*i*ur*tion s*ri*liz*tion, t** `s*v*` m*t*o* in its *on*i* *l*ss is t** most pro***l* lo**tion w**r* **t* **ts writt*n to