CVE-2017-16026

EPSS 2.6%CWE-201

In short

A vulnerability in the Request HTTP client library allows attackers to leak sensitive data from server memory when uploading files through multipart requests with specially crafted numeric body parameters. This could expose passwords, tokens, or other confidential information.

Technical detail

CWE-201 (Information Exposure Through an Error Message) manifests when multipart requests with numeric body types cause the Request library to include uninitialized memory in the HTTP body. The vulnerability affects versions 2.2.6 to 2.47.0 and 2.51.0 to 2.67.0, enabling memory disclosure attacks without requiring authentication or special privileges beyond the ability to trigger multipart uploads.

Summary generated and translated by AI from the official description.

Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Affected products

HackerOne · request node module

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/request/request/issues/1904 https://github.com/request/request/pull/2018 https://nodesecurity.io/advisories/309