Memory Corruption Vulnerability in Node.js and Google V8 Products
CVE-2015-5380

Currently unrated

Key Information:

Vendor: Google
Status: V8
Vendor: CVE Published:; 9 July 2015

Summary

The Utf8DecoderBase::WriteUtf16Slow function in the unicode-decoder.cc file of the Google V8 engine, utilized in Node.js and io.js, is vulnerable due to its failure to verify memory availability for UTF-16 surrogate pairs. This flaw could be exploited by remote attackers to induce a denial of service through crafted byte sequences, resulting in potential memory corruption and service disruption.

References

https://codereview.chromium.org/1226493003

x_refsource_CONFIRM

https://medium.com/%40iojs/important-security-upgrades-fo...

x_refsource_CONFIRM

https://github.com/joyent/node/issues/25583

x_refsource_CONFIRM

Timeline

Vulnerability published
Jul 9, 2015
Vulnerability Reserved
Jul 6, 2015