cbcvebase.
CVE-2020-8252
published 2020-09-18

CVE-2020-8252: The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a…

PriorityP338high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.71%
49.0th percentile
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Affected

17 ranges
VendorProductVersion rangeFixed in
debianlibuv1< libuv1 1.39.0-1 (bookworm)libuv1 1.39.0-1 (bookworm)
fedoraprojectfedora
nodejsnode>= 10.0 < 10.22.110.22.1
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.18.412.18.4
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.9.014.9.0
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*
nodejsnode>= 9.0 < 9.*9.*
nodejsnode.js>= 10.0.0 < 10.22.110.22.1
nodejsnode.js>= 12.0.0 < 12.18.412.18.4
nodejsnode.js>= 14.0.0 < 14.9.014.9.0
opensuseleap

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.