Unauthenticated Denial of Service in the octokit/webhooks library - @octokit/webhooks

Description

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

Recommendation

Update the @octokit/webhooks package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 12.0.0, < 12.0.3

  >= 11.0.0, < 11.1.2

  >= 10.0.0, < 10.9.2

  < 9.26.3**

• Patched version(s): **12.0.3

  11.1.2

  10.9.2

  9.26.3**

References

• GHSA-pwfr-8pq7-x9qv
• CVE-2023-50728
• CWE-755
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Unauthenticated Denial of Service in the octokit/webhooks library - CVE-2023-50728
• Unauthenticated Denial of Service in the octokit/webhooks library - @octokit/app - CVE-2023-50728
• MathJax Regular expression Denial of Service (ReDoS) - CVE-2023-39663
• angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@octokit/webhooks