Main Vulnerability Database Vulnerabilities #VU16168

#VU16168 Heap-based buffer overflow in Node.js - CVE-2018-12121

Published: November 29, 2018

Vulnerability identifier: #VU16168

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-12121

CWE-ID: CWE-122

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer overflow. A remote attacker can send many requests with the maximum size HTTP header of nearly 80kb/connection in combination with carefully handled completion of those headers, trigger memory corruption and cause the Node.js HTTP server to abort.

Remediation

The vulnerability has been fixed in the versions 6.15.0, 8.14.0, 10.14.0, 11.3.0.

External links

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

#VU16168 Heap-based buffer overflow in Node.js - CVE-2018-12121

Description

Remediation

External links

Please verify you're human