Out-of-bounds Read

Affecting node package, versions [15.0.0,16.4.1) || [13.0.0,14.17.2) || [,12.22.2)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Out-of-bounds Read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.

Remediation

Upgrade node to version 16.4.1, 14.17.2, 12.22.2 or higher.

References

CVSS Score

8.2
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Credit
Unknown
CVE
CVE-2021-22918
CWE
CWE-125
Snyk ID
SNYK-UPSTREAM-NODE-1315790
Disclosed
02 Jul, 2021
Published
02 Jul, 2021