Homepage
About Snyk

Use After Free Affecting node package, versions [,10.23.1) [11.0.0, 12.20.1) [13.0.0, 14.15.4) [15.0.0, 15.5.1)

0.0
medium

Snyk CVSS

    Attack Complexity High
    Availability High

    Threat Intelligence

    EPSS 0.67% (80th percentile)
Expand this section
NVD
8.1 high
Expand this section
SUSE
8.1 high
Expand this section
Red Hat
8.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UPSTREAM-NODE-1055471
  • published 5 Jan 2021
  • disclosed 5 Jan 2021
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 5 Jan 2021

CVE-2020-8265 Open this link in a new tab
CWE-416 Open this link in a new tab

How to fix?

Upgrade node to version 10.23.1, 12.20.1, 14.15.4, 15.5.1 or higher.

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Use After Free. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory.

References