CVE-2021-39176: 
JavaScript vulnerability analysis and mitigation

detect-character-encoding is a package for detecting character encoding using ICU. In versions 0.3.0 and earlier, a memory leak vulnerability was identified where allocated memory was not properly released. This vulnerability was assigned CVE-2021-39176 and was discovered in August 2021. The vulnerability affects all versions of detect-character-encoding up to and including version 0.3.0 (GitHub Advisory).

The vulnerability stems from a failure to properly close the charsetDetector after its creation and use. According to ICU documentation, failure to close a charset detector when finished can result in memory leaks in the application. The issue was specifically related to the missing call to ucsdet_close() function, which is required to release storage and other resources owned by the charset detector (GitHub Commit). The vulnerability received a CVSS v3.1 base score of 7.5 (High) and temporal score of 7.2 (High) (GitHub Advisory).

When the vulnerable code is implemented in a program accessible over the internet, it can lead to memory leaks that eventually cause the application to become unavailable. The vulnerability primarily affects the availability of the system, with no direct impact on confidentiality or integrity. A proof of concept demonstrated that making repeated requests to an endpoint using the vulnerable package causes the Node.js process to consume increasingly more memory (GitHub Advisory).

The vulnerability has been patched in detect-character-encoding version 0.3.1. The fix involves properly closing the charsetDetector by adding calls to ucsdet_close() at appropriate points in the code (GitHub PR). Users should upgrade to version 0.3.1 or later to address this vulnerability.