inflight Memory leak detected in version 1.0.6 by veracode

Veracode has detected a memory leak vulnerability

Jul 25 '23 17:07 ccalderon9411

Any update on this vulnarability?

Aug 04 '23 07:08 nik750

Memory Leak: inflight is vulnerable to a Memory Leak. The vulnerability is due to lack of restrictions on how many callbacks the library can concurrently support, which can result in a NodeJS out of heap memory crash. Still getting this error.

Aug 04 '23 07:08 nik750

Also wondering if this issue persists? Looks like glob up to glob@9 depends on inflight and other packages in our project depend on glob@<9 so we are stuck with the memory leak warnings in CI

Aug 07 '23 06:08 Cuttsy27

Hello, any update on this?

Aug 15 '23 21:08 Tedderic

veracode detected a memory leak vulnerability @1.0.6

Aug 21 '23 08:08 krishnamohanparuchuri

Is this repo dead?

Aug 22 '23 19:08 rennerg

In https://github.com/isaacs/node-glob/issues/435 @isaacs mentioned that newer versions of glob >= 9 no longer use inflight. The remediation for those using older versions of glob would then, presumably be, to upgrade to a newer version.

Sadly, this may not be an option for projects with other transitive dependencies (npmjs.com lists 1628 dependents: https://www.npmjs.com/package/inflight?activeTab=dependents ). These would all be advised to move away as this library looks to be abandoned.

Unfortunately, in the mean-time applications that transitively use this library would need to determine how they are using this library to determine if they are vulnerable. Note that the impact of this would be a Denial of Service but would require an attacker to trigger many requests (we were able to reproduce this with millions of simple requests, that may be less in other cases).

It looks like @GreihMurray has been working on using an arbitrary limit of 500 concurrent requests: https://github.com/isaacs/inflight/compare/main...GreihMurray:inflight-fork:main . This might help but would need to be tested. Also 500 requests may not be enough for some purposes and I'm not sure what happens > 500 requests.

Maybe someone else (more familiar with how this is used) could help out here and provide a PR / fixed fork?

Aug 29 '23 12:08 relaxnow

In https://github.com/isaacs/node-glob/issues/435 @isaacs mentioned that newer versions of glob >= 9 no longer use inflight. The remediation for those using older versions of glob would then, presumably be, to upgrade to a newer version.

Sadly, this may not be an option for projects with other transitive dependencies (npmjs.com lists 1628 dependents: https://www.npmjs.com/package/inflight?activeTab=dependents ). These would all be advised to move away as this library looks to be abandoned.

Unfortunately, in the mean-time applications that transitively use this library would need to determine how they are using this library to determine if they are vulnerable. Note that the impact of this would be a Denial of Service but would require an attacker to trigger many requests (we were able to reproduce this with millions of simple requests, that may be less in other cases).

It looks like @GreihMurray has been working on using an arbitrary limit of 500 concurrent requests: https://github.com/isaacs/inflight/compare/main...GreihMurray:inflight-fork:main . This might help but would need to be tested. Also 500 requests may not be enough for some purposes and I'm not sure what happens > 500 requests.

Maybe someone else (more familiar with how this is used) could help out here and provide a PR / fixed fork?

I've done a few basic tests to try and remedy this with no success. 500 was an arbitrary number which I just selected more or less at random while testing. Unfortunately I am unable to get it to work and would agree that the best practice is likely upgrade other dependencies as possible