CVE-2021-22918

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Published: Jul 12, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-22918
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-125

Affected Software
References

Software	From	Fixed in
nodejs / node.js	16.0.0	16.4.1
nodejs / node.js	14.0.0	14.17.2
nodejs / node.js	12.0.0	12.22.2
siemens / sinec_infrastructure_network_services	-	1.0.1.1

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1209681
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
https://security.gentoo.org/glsa/202401-23
https://security.netapp.com/advisory/ntap-20210805-0003/

Vulnerability Database

289,599

CVE-2021-22918