CVE-2021-41167 – modern-async

Package

Manager: npm
Name: modern-async
Vulnerable Version: >=0 <1.0.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00367 pctl0.57881

Details

modern-async's `forEachSeries` and `forEachLimit` functions do not limit the number of requests ### Impact This is a bug affecting two of the functions in this library: `forEachSeries` and `forEachLimit`. They should limit the concurrency of some actions but, in practice, they don't. Any code calling these functions will be written thinking they would limit the concurrency but they won't. This could lead to potential security issues in other projects. ### Patches The problem has been patched in 1.0.4. ### Workarounds There is no workaround aside from upgrading to 1.0.4.

Metadata

Created: 2021-10-21T17:49:30Z
Modified: 2022-08-15T20:14:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-3pcq-34w5-p4g2/GHSA-3pcq-34w5-p4g2.json
CWE IDs: ["CWE-400", "CWE-770"]
Alternative ID: GHSA-3pcq-34w5-p4g2
Finding: F067
Auto approve: 1