cbcvebase.
CVE-2021-22918
published 2021-07-12

CVE-2021-22918: Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is…

PriorityP339medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
23.13%
97.5th percentile
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Affected

21 ranges
VendorProductVersion rangeFixed in
debianlibuv1< libuv1 1.40.0-2 (bookworm)libuv1 1.40.0-2 (bookworm)
msrcazl3_pytorch_2.2.2-4_on_azure_linux_3.0
msrcazl3_pytorch_2.2.2-7_on_azure_linux_3.0
msrccm1_nodejs_14.17.2-1_on_cbl_mariner_1.0
nodejsnode>= 10.0 < 10.*10.*
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.22.212.22.2
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.17.214.17.2
nodejsnode>= 15.0 < 15.*15.*
nodejsnode>= 16.0 < 16.4.116.4.1
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*
nodejsnode>= 9.0 < 9.*9.*
nodejsnode.js>= 12.0.0 < 12.22.212.22.2
nodejsnode.js>= 14.0.0 < 14.17.214.17.2
nodejsnode.js>= 16.0.0 < 16.4.116.4.1
siemenssinec_infrastructure_network_services< 1.0.1.11.0.1.1

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.