Use After Free in node

Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Use After Free. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory.

Remediation

Upgrade node to version 10.23.1, 12.20.1, 14.15.4, 15.5.1 or higher.

References

GitHub Commit

Attack Vector

Network
Attack Complexity

High
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

None
Availability

High

Credit: Unknown
CVE: CVE-2020-8265
CWE: CWE-416
Snyk ID: SNYK-UPSTREAM-NODE-1055471
Disclosed: 05 Jan, 2021
Published: 05 Jan, 2021

Use After Free
Affecting node package, versions [,10.23.1) || [11.0.0, 12.20.1) || [13.0.0, 14.15.4) || [15.0.0, 15.5.1)

Overview

Remediation

References

CVSS Score

Use After Free Affecting node package, versions [,10.23.1) || [11.0.0, 12.20.1) || [13.0.0, 14.15.4) || [15.0.0, 15.5.1)

Overview

Remediation

References

Use After Free
Affecting node package, versions [,10.23.1) || [11.0.0, 12.20.1) || [13.0.0, 14.15.4) || [15.0.0, 15.5.1)