Your submission was sent successfully! Close

CVE-2021-22918

Published: 2 July 2021

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
libuv1
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal
Released (1.34.2-1ubuntu1.3)
groovy
Released (1.38.0-2ubuntu2.1)
hirsute
Released (1.40.0-1ubuntu0.1)
impish
Released (1.40.0-2)
jammy
Released (1.40.0-2)
trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829