CVE-2021-22918

EPSS 23.1%CWE-125

In short

Node.js has a memory reading vulnerability in string conversion that can expose sensitive information or crash the application. When processing certain domain names, the program reads beyond allocated memory boundaries.

Technical detail

An out-of-bounds read exists in uv__idna_toascii() where pointer arithmetic lacks bounds validation against the buffer end marker, allowing uncontrolled memory access via uv_getaddrinfo(). This can result in information disclosure or denial of service when processing IDNA domain name conversions.

Summary generated and translated by AI from the official description.

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Affected products

NodeJS · Node

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1209681 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/https://security.gentoo.org/glsa/202401-23 https://security.netapp.com/advisory/ntap-20210805-0003/