Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv)
- Severity:
- High
Description
Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.
Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.
Recommendation
Update the @octokit/app package to the latest compatible version. Followings are version details:
- Affected version(s): = 14.0.1
- Patched version(s): 14.0.2
References
Related Issues
- Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv) 2 - CVE-2023-50728
- Unauthenticated Denial of Service in the octokit/webhooks library - CVE-2023-50728
- Cube API denial of service attack - CVE-2023-50709
- Regular Expression Denial of Service in moment (GHSA-87vv-r9j6-g5qv) - CVE-2016-4055
- Tags:
- npm
- @octokit/app
Anything's wrong? Let us know Last updated on December 16, 2023