CVE-2015-5380

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.

Published: Jul 9, 2015
Updated: Apr 13, 2023
CVE: CVE-2015-5380
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
iojs / io.js	2.0.0	2.0.0.x
iojs / io.js	2.3.2	2.3.2.x
iojs / io.js	2.0.2	2.0.2.x
iojs / io.js	2.2.0	2.2.0.x
iojs / io.js	2.0.1	2.0.1.x
iojs / io.js	2.1.0	2.1.0.x
iojs / io.js	2.3.1	2.3.1.x
iojs / io.js	2.3.0	2.3.0.x
iojs / io.js	-	1.8.2.x
iojs / io.js	2.2.1	2.2.1.x
nodejs / node.js	-	0.12.5.x

http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/
http://www.securityfocus.com/bid/75556
https://codereview.chromium.org/1226493003
https://github.com/joyent/node/issues/25583
https://medium.com/@iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852
https://medium.com/%40iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852

Vulnerability Database

289,599

CVE-2015-5380