CVE-2015-5380Improper Restriction of Operations within the Bounds of a Memory Buffer in Node.js

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-787Out-of-bounds Write7 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 29.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
NodejsIojs Io.jsNodejs Node.js
Timeline
PublishedJul 9
Latest updateMay 17

Description

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

Ubuntunodejs/nodejs< 4.2.6~dfsg-1ubuntu4.1+1
NVDnodejs/node.js0.12.5
NVDiojs/io.js1.8.2+9

Patches

Patch: blog.nodejs.orgPatch: blog.nodejs.org

🔴Vulnerability Details

3
GHSA
GHSA-cpgp-qq89-2x6x: The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder2022-05-17
CVEList
CVE-2015-5380: The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder2015-07-09
OSV
CVE-2015-5380: The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder2015-07-09

📋Vendor Advisories

2
Red Hat
nodejs: `Buffer` to UTF8 `String` conversion DoS2015-07-03
Debian
CVE-2015-5380: nodejs - The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8,...2015

💬Community

1
Bugzilla
CVE-2015-5380 nodejs: `Buffer` to UTF8 `String` conversion DoS2015-07-05
CVE-2015-5380 — Nodejs Node.js vulnerability | cvebase