First published: Thu Jul 01 2021(Updated: )
Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv's uv__idna_toascii() function. By invoking the function using dns module's lookup() function, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
>=12.0.0<12.22.2 | ||
>=14.0.0<14.17.2 | ||
>=16.0.0<16.4.1 | ||
<1.0.1.1 | ||
Nodejs Node.js | >=12.0.0<12.22.2 | |
Nodejs Node.js | >=14.0.0<14.17.2 | |
Nodejs Node.js | >=16.0.0<16.4.1 | |
Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
redhat/node | <16.4.1 | 16.4.1 |
redhat/node | <14.17.2 | 14.17.2 |
redhat/node | <12.22.2 | 12.22.2 |
redhat/libuv | <1.41.1 | 1.41.1 |
redhat/libuv | <1:1.41.1-1.el8_4 | 1:1.41.1-1.el8_4 |
redhat/rh-nodejs12-nodejs | <0:12.22.2-1.el7 | 0:12.22.2-1.el7 |
redhat/rh-nodejs12-nodejs-nodemon | <0:2.0.3-2.el7 | 0:2.0.3-2.el7 |
redhat/rh-nodejs14-nodejs | <0:14.17.2-1.el7 | 0:14.17.2-1.el7 |
redhat/rh-nodejs14-nodejs-nodemon | <0:2.0.3-2.el7 | 0:2.0.3-2.el7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The severity of CVE-2021-22918 is medium with a CVSS score of 6.5.
Node.js versions before 16.4.1, 14.17.2, and 12.22.2 are affected by CVE-2021-22918.
To fix CVE-2021-22918, update Node.js to version 16.4.1, 14.17.2, or 12.22.2.
The Common Weakness Enumeration (CWE) for CVE-2021-22918 is CWE-125.
You can find more information about CVE-2021-22918 at the following references: [link1], [link2], [link3], [link4], [link5].