Security Vulnerabilities #901
Description
Hi all,
There's some severe vulnerabilities in WUD. Here are the details.
Allocation of Resources Without Limits or Throttling (S-64)
The vulnerability S-64 is related to the package qs version 6.5.3 and is categorized as "Allocation of Resources Without Limits or Throttling." Below are the details:
Description
The qs package, a querystring parser supporting nesting and arrays, is vulnerable due to improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exploit this vulnerability by submitting a large number of bracket notation parameters (e.g., a[]=1&a[]=2) in a single HTTP request. This can exhaust server memory and cause application unavailability.
Remediation:
Upgrade the qs package to version 6.14.1 or higher to mitigate this vulnerability.
References:
CVE: CVE-2025-15284
OWASP Reference: 2021:A6
Predictable Value Range from Previous Values
The vulnerability S-62 is identified as "Predictable Value Range from Previous Values" and is associated with the form-data package version 2.3.3. Below are the details:
Description:
Affected versions of the form-data package are vulnerable to predictable value manipulation via the boundary value, which uses Math.random(). This allows an attacker to exploit predictable HTTP request boundaries, potentially leading to HTTP parameter pollution.
Remediation:
Upgrade the form-data package to one of the following versions:
2.5.4
3.0.4
4.0.4 or higher.
References:
CVE: CVE-2025-7783
OWASP: 2021:A6
There's a couple of minor vulnerabilities too, they can be fixed by:
- Upgrade the tar-fs package to one of the following secure versions: 1.16.4, 2.1.2, 3.0.7, or higher.
- Upgrade tough-cookie to version 4.1.3 or
- The request package has been deprecated, and no fix is expected. It is recommended to migrate to alternative libraries for HTTP requests.
- Upgrade the on-headers package to version 1.1.0 or higher.