CVE-2017-16129

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.
Data Amplification
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
VendorProductVersion
superagent_projectsuperagent
𝑥
< 3.7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-superagent
bullseye
6.1.0-4
fixed
bookworm
8.0.5-1
fixed
sid
9.0.1-1
fixed
trixie
9.0.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-superagent
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
bionic
needed
xenial
needed
trusty
dne
Common Weakness Enumeration
References
https://github.com/visionmedia/superagent/issues/1259
https://nodesecurity.io/advisories/479
https://github.com/visionmedia/superagent/issues/1259
https://nodesecurity.io/advisories/479