Your submission was sent successfully! Close

CVE-2021-22931

Published: 16 August 2021

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Notes

AuthorNote
sbeattie
(from debian) nodejs uses system c-ares which fixed
CVE-2021-3672 and so this entry might be not-affected
Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
nodejs
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needs triage

kinetic Needs triage

trusty Needs triage

upstream Needs triage

xenial Ignored
(out of standard support)