CVE-2021-22918

Published: 02 July 2021

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
libuv1
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (1.40.0-1ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.34.2-1ubuntu1.3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(out of standard support)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829