npm

speaker vulnerable to Denial of Service

High severity GitHub Reviewed Published Jul 10, 2024 to the GitHub Advisory Database • Updated Jul 11, 2024

Package

speaker (npm)

Affected versions

<= 0.5.5

Patched versions

None

Description

All versions of the package speaker are vulnerable to Denial of Service (DoS) when providing unexpected input types to the channels property of the Speaker object makes it possible to reach an assert macro. Exploiting this vulnerability can lead to a process crash.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-21526
https://security.snyk.io/vuln/SNYK-JS-SPEAKER-6370676
https://github.com/TooTallNate/node-speaker/blob/316afff5a393fce438cf7296011fcfc6e12aa9dc/src/binding.c#L48

Published by the National Vulnerability Database

Jul 10, 2024

Published to the GitHub Advisory Database Jul 10, 2024

Reviewed Jul 10, 2024

Last updated Jul 11, 2024

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

speaker vulnerable to Denial of Service

Package

Affected versions

Patched versions

Description

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code