VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 7, 2018· Updated Sep 17, 2024

CVE-2018-3739

CVE-2018-3739

Description

https-proxy-agent before 2.2.0 unsafely passes user-controlled input to the Buffer constructor, enabling denial of service and memory disclosure via crafted auth data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

https-proxy-agent before 2.2.0 unsafely passes user-controlled input to the Buffer constructor, enabling denial of service and memory disclosure via crafted auth data.

Vulnerability

The https-proxy-agent npm package (versions before 2.2.0) passes the user-supplied auth option directly to the new Buffer() constructor without sanitization [2]. The vulnerable code is in index.js at line 207, where Buffer(proxy.auth) is converted to base64 for the Proxy-Authorization header [4]. Because new Buffer() with a numeric or object argument can lead to uninitialized memory or an abnormal process termination, an attacker who can control the auth parameter (e.g., via JSON input) triggers a denial of service or memory disclosure [3].

Exploitation

An attacker needs the ability to supply a crafted value to the auth option of an https-proxy-agent instance. In scenarios where the agent receives user-supplied JSON (e.g., from a web API that proxies requests), the attacker can set auth to a number or an array, bypassing any string-only expectations. No authentication or special network position is required beyond the ability to influence the input used to create the agent. The exploit does not require user interaction — it occurs when the proxy-agent processes the malicious configuration.

Impact

Successful exploitation results in a denial of service (DoS) due to the process crashing, and in cases where the auth value is a number, an uninitialized memory leak may occur, potentially exposing sensitive data from the heap to subsequent operations [1]. The vulnerability does not provide remote code execution or privilege escalation, but it compromises availability and confidentiality.

Mitigation

The vulnerability is fixed in https-proxy-agent version 2.2.0, released on July 27, 2018 [3]. The fix replaces the deprecated new Buffer() call with Buffer.from() [4], which validates the input and throws a clear error if the argument is not a string. Users should upgrade to >=2.2.0. There is no known KEV listing. No other workarounds were published in the available references.

References
  1. NVD - CVE-2018-3736
  2. GitHub - TooTallNate/proxy-agents: Node.js HTTP Proxy Agents Monorepo
  3. CVE-2018-3739 - GitHub Advisory Database
  4. Use `Buffer.from()` · TooTallNate/proxy-agents@1c24219

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
https-proxy-agentnpm
< 2.2.02.2.0

Affected products

8

Patches

1
1c24219df875

Use `Buffer.from()`

https://github.com/TooTallNate/node-https-proxy-agentNathan RajlichMar 3, 2018via ghsa
commit
1 file changed · +1 1
  • index.js+1 1 modified
    @@ -204,7 +204,7 @@ HttpsProxyAgent.prototype.callback = function connect(req, opts, fn) {
   var headers = Object.assign({}, proxy.headers);
   if (proxy.auth) {
     headers['Proxy-Authorization'] =
-      'Basic ' + new Buffer(proxy.auth).toString('base64');
+      'Basic ' + Buffer.from(proxy.auth).toString('base64');
   }
 
   // the Host header should only include the port

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.