CVE-2023-50728: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2023-50728) affects the @octokit/webhooks library, a GitHub webhook events toolset for Node.js. The issue was discovered in versions starting from 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4. The vulnerability was disclosed on December 15, 2023, and impacts multiple related packages including app.js, octokit.js, and Probot (GitHub Advisory).

The vulnerability stems from improper error handling in the @octokit/webhooks library where the error can be undefined in some cases. This issue leads to an uncaught exception that terminates the Node.js process. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while GitHub assigned it a score of 5.4 (MEDIUM) with vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H (NVD).

When exploited, this vulnerability results in a denial of service condition by causing an uncaught exception that terminates the Node.js process. The impact primarily affects the availability of the service, with no impact on confidentiality and low impact on integrity according to the CVSS metrics (GitHub Advisory).

The vulnerability has been patched in multiple versions: octokit/webhooks.js versions 9.26.3, 10.9.2, 11.1.2, and 12.0.4; app.js version 14.0.2; octokit.js version 3.1.2; and Probot version 12.3.3. It is recommended that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated backported versions (GitHub Advisory).