QwikSec

Security Database

CVE

CWE

Training

CVE-2021-22918

Published: Jul 12, 2021

Modified: Apr 30, 2025

PUBLISHED

Description

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Vendor	Product	Versions
NodeJS	Node	affected `4.0 - < 4.` affected `5.0 - < 5.` affected `6.0 - < 6.` affected `7.0 - < 7.` affected `8.0 - < 8.*` +8 more versions

Weaknesses (CWE)

References

https://hackerone.com/reports/1209681

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

https://security.netapp.com/advisory/ntap-20210805-0003/

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.