A flaw was found in Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0. Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body. References: https://github.com/request/request/issues/1904 https://nodesecurity.io/advisories/309 Patch: https://github.com/request/request/pull/2018
Created nodejs-request tracking bugs for this issue: Affects: epel-all [bug 1588834] Affects: fedora-all [bug 1588836]
The current version (2.75.0) of request shipped in Red Hat Software Collections is not affected.