Buffer Initialization Issue in Node.js Versions 8.X and 9.X
CVE-2017-15897

3.1LOW

Key Information:

Vendor: The Node.js Project
Status: Node.js
Vendor: CVE Published:; 7 December 2017

🔔 Create The Node.js Project Vulnerability Alert

What is CVE-2017-15897?

Node.js versions 8.X and 9.X contained a bug that could lead to uninitialized buffers when the encoding of the fill value did not match the encoding specified. For instance, using 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' could result in a buffer that was not properly initialized. To address this issue, the implementation has been updated so that any mismatched encoding will result in the buffer being initialized to all zeros, enhancing the security and stability of applications relying on Node.js.

Affected Version(s)

Node.js 8.0 and higher

Node.js 9.0 and higher

References

https://nodejs.org/en/blog/vulnerability/december-2017-se...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 7, 2017
Vulnerability Reserved
Oct 25, 2017