Buffer Overflow

Affecting node package, versions [15.0.0, 15.10.0) || [14.0.0, 14.16.0) || [12.0.0, 12.21.0) || [10.0.0, 10.24.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Buffer Overflow. Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.

Remediation

Upgrade node to version 15.10.0, 14.16.0, 12.21.0, 10.24.0 or higher.

References

CVSS Score

3.7
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Credit
Paul Kehrer
CVE
CVE-2021-23840
CWE
CWE-121
Snyk ID
SNYK-UPSTREAM-NODE-1078519
Published
23 Feb, 2021