Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv)
- Severity:
- High
Description
Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.
Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.
Recommendation
Update the @octokit/app package to the latest compatible version. Followings are version details:
- Affected version(s): = 14.0.1
- Patched version(s): 14.0.2
References
Related Issues
- ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding in jsrsasign - CVE-2020-14966
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- @octokit/app
Anything's wrong? Let us know Last updated on December 16, 2023