CVE-2024-29042 – translate

Package

Manager: npm
Name: translate
Vulnerable Version: >=0 <3.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0026 pctl0.49132

Details

Cache Poisoning Vulnerability ### Summary An attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change the outcome of translation requests made by subsequent users. ### Details The `opt.id` parameter allows the overwriting of the cache key. If an attacker sets the `id` variable to the cache key that would be generated by another user, they can choose the response that user gets served. ### PoC Take the following simple server allowing users to supply text and the language to translate to. ```javascript import translate from "translate"; import express from 'express'; const app = express(); app.use(express.json()); app.post('/translate', async (req, res) => { const { text, language } = req.body; const result = await translate(text, language); return res.json(result); }); const port = 3000; app.listen(port, () => { console.log(`Server is running on port ${port}`); }); ``` We can send the following request to poison the cache: ``` {"text":"I hate you", "language":{"to":"nl","id":"undefined:en:nl:google:I love you"}} ```  Now, any user that attempts to translate "I love you" to Dutch, will get "I hate you" in Dutch as the response.  ### Impact An attacker can control the results other users may get

Metadata

Created: 2024-03-22T16:57:21Z
Modified: 2024-03-22T20:02:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-882j-4vj5-7vmj/GHSA-882j-4vj5-7vmj.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-882j-4vj5-7vmj
Finding: F184
Auto approve: 1