CVE-2022-36127: Apache SkyWalking NodeJS Agent can lose availability if header includes illegal SkyWalking header

July 19, 2022 (updated August 6, 2022)

A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can’t establish the connection.

References

www.openwall.com/lists/oss-security/2022/07/18/1
github.com/advisories/GHSA-8gpg-466c-5cpj
lists.apache.org/thread/x238wo4r5goy39dxdjcmlofp6gcdnqr3
nvd.nist.gov/vuln/detail/CVE-2022-36127
skywalking.apache.org/events/release-apache-skywalking-nodejs-0-5-1/

Code Behaviors & Features

Detect and mitigate CVE-2022-36127 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →