Description
Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.
Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.
Recommendation
Update the octokit package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.1.2
- Patched version(s): 3.1.2
References
Related Issues
- Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv) - CVE-2023-50728
- Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv) 2 - CVE-2023-50728
- angular vulnerable to regular expression denial of service via the $resource service - CVE-2023-26117
- angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118
- Tags:
- npm
- octokit
Anything's wrong? Let us know Last updated on December 16, 2023