Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv)
- Severity:
- High
Description
Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.
Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.
Recommendation
Update the @octokit/app package to the latest compatible version. Followings are version details:
- Affected version(s): = 14.0.1
- Patched version(s): 14.0.2
References
Related Issues
- Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv) 2 - CVE-2023-50728
- Unauthenticated Denial of Service in the octokit/webhooks library - CVE-2023-50728
- Denial of Service in protobufjs (GHSA-762f-c2wg-m8c8) - CVE-2018-3738
- Regular Expression Denial of Service in postcss (GHSA-hwj9-h5mp-3pm3) - CVE-2021-23368
- Tags:
- npm
- @octokit/app
Anything's wrong? Let us know Last updated on December 16, 2023