Argument Processing Flaw in Node.js Leads to Memory Safety Issues
CVE-2018-7166

7.5HIGH

Key Information:

Vendor: The Node.js Project
Status: Node.js
Vendor: CVE Published:; 21 August 2018

🔔 Create The Node.js Project Vulnerability Alert

What is CVE-2018-7166?

A vulnerability exists in all versions of Node.js 10 prior to 10.9.0 that allows the Buffer.alloc() function to return uninitialized memory due to a flaw in argument processing. The encoding argument can mistakenly be interpreted as a start index for the filling operation, which may lead to returning uninitialized, sensitive data if arguments are derived from user inputs. This poses a significant risk as it may expose sensitive information stored in memory.

Affected Version(s)

Node.js All versions of Node.js 10 prior to 10.9.0

References

https://access.redhat.com/errata/RHSA-2018:2553

vendor-advisoryx_refsource_REDHAT

https://nodejs.org/en/blog/vulnerability/august-2018-secu...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2018
Vulnerability Reserved
Feb 15, 2018