Main Vulnerability Database Vulnerabilities #VU13378

#VU13378 Resource exhaustion in Node.js - CVE-2018-7164

Published: June 18, 2018

Vulnerability identifier: #VU13378

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-7164

CWE-ID: CWE-400

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to insufficient input validation when reading from the network into JavaScript using the net.Socket object directly as a stream. A remote attacker can send tiny chunks of data in short succession, trigger resource exhaustion and cause the server to crash.

Remediation

Update to version 10.4.1.

External links

https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/