CVE-2018-7166

Name of the Vulnerable Software and Affected Versions Node.js versions prior to 10.9.0

Description The issue is related to an argument processing flaw in the Buffer.alloc() method. This method is intended to return initialized memory, but due to the flaw, it can return uninitialized memory. The third argument, encoding, can be misinterpreted as the start to a fill operation if passed as a number. This may lead to the return of uncleared memory blocks that may contain sensitive information, particularly when Buffer.alloc() arguments are derived from user input.

Recommendations For Node.js versions prior to 10.9.0, update to version 10.9.0 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing user input before passing it to the Buffer.alloc() method to minimize the risk of exploitation. Restrict access to sensitive information and avoid using the encoding argument as a number to prevent misinterpretation by the internal "fill" method.