CVE-2020-8265

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

Published: Jan 6, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-8265
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-416

Affected Software
References

Software	From	Fixed in
nodejs / node.js	15.0.0	15.5.1
nodejs / node.js	14.0.0	14.15.4
nodejs / node.js	12.0.0	12.20.1
nodejs / node.js	10.0.0	10.23.1
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
oracle / graalvm	19.3.4	19.3.4.x
oracle / graalvm	20.3.0	20.3.0.x
siemens / sinec_infrastructure_network_services	-	1.0.1.1

Vulnerability Database

289,599

CVE-2020-8265