← Back

CVE-2021-22918

nvd nist
Published: Jul 12, 2021Modified: Jun 17, 2026

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability: 3.9 / Impact: 1.4
Source: NVD

Description

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Affected (4)

Nodejs
1 product
Node.js
Siemens
1 product
Sinec Infrastructure Network Services
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Nodejs
Node.js
From 12.0.0 to 12.22.2
Node.js
From 14.0.0 to 14.17.2
Node.js
From 16.0.0 to 16.4.1
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Sinec Infrastructure Network Services
Before 1.0.1.1

Related CWEs

CWE-125
Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

References (10)

Source: support@hackerone.com
PatchThird Party Advisory
Source: support@hackerone.com
ExploitThird Party Advisory
Source: support@hackerone.com
PatchVendor Advisory
Source: support@hackerone.com
Source: support@hackerone.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.