Out-of-Bounds Read Vulnerability in Node.js via uv__idna_toascii()

Out-of-Bounds Read Vulnerability in Node.js via uv__idna_toascii()

CVE-2021-22918 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Learn more about our Web Application Penetration Testing UK.