<p>Upgrade <code>node</code> to version 12.22.11, 14.19.1, 16.14.2, 17.7.2 or higher.</p>

Infinite loop Affecting node package, versions [12.0.0,12.22.11) [14.0.0,14.19.1) [16.0.0,16.14.2) [17.0.0,17.7.2)

Snyk CVSS

Attack Complexity Low

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 1.34% (86^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-UPSTREAM-NODE-5811867
published 16 Mar 2022
disclosed 15 Mar 2022
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 15 Mar 2022

CVE-2022-0778 Open this link in a new tab CWE-835 Open this link in a new tab

How to fix?

Upgrade node to version 12.22.11, 14.19.1, 16.14.2, 17.7.2 or higher.

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Infinite loop via the BN_mod_sqrt() function when parsing certificates. It is possible to trigger this vulnerability by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack.