Unauthenticated Denial of Service in the octokit/webhooks library - @octokit/app

Severity:: High

Description

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

Recommendation

Update the @octokit/app package to the latest compatible version. Followings are version details:

Affected version(s): = 14.0.1
Patched version(s): 14.0.2

References

GHSA-pwfr-8pq7-x9qv
CVE-2023-50728
CWE-755
CAPEC-310
OWASP 2021-A6

Related Issues

Unauthenticated Denial of Service in the octokit/webhooks library - CVE-2023-50728
Unauthenticated Denial of Service in the octokit/webhooks library - @octokit/webhooks - CVE-2023-50728
MathJax Regular expression Denial of Service (ReDoS) - CVE-2023-39663
angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @octokit/app

Anything's wrong? Let us know Last updated on December 16, 2023