Bnoordhuis

#10909of 53,634
25.3Total CVSS
Vulnerabilities · 3
High
2
Critical
1
PT-2025-18013
7.8
2025-04-27
Unknown · Quickjs-Ng · CVE-2025-46687
**Name of the Vulnerable Software and Affected Versions** quickjs-ng versions 0.9.0 and earlier QuickJS versions prior to 2025-04-26 **Description** The issue is related to a missing length check in `JS ReadString` for a string, which can lead to a heap-based buffer overflow. **Recommendations** For quickjs-ng versions 0.9.0 and earlier, update to a version that includes the fix for the missing length check in `JS ReadString`. For QuickJS versions prior to 2025-04-26, update to a version released after 2025-04-26 to resolve the issue.
PT-2025-18014
8.4
2025-04-27
Unknown · Quickjs-Ng · CVE-2025-46688
**Name of the Vulnerable Software and Affected Versions** quickjs-ng versions 0.9.0 and earlier QuickJS versions prior to 2025-04-26 **Description** The issue is related to an incorrect size calculation in `JS ReadBigInt` for a `BigInt`, leading to a heap-based buffer overflow. **Recommendations** For quickjs-ng versions 0.9.0 and earlier, update to a version later than 0.9.0 to resolve the issue. For QuickJS versions prior to 2025-04-26, update to a version released after 2025-04-26 to fix the problem. As a temporary workaround, consider restricting the use of the `JS ReadBigInt` function for `BigInt` values until a patch is available.
PT-2022-22662
9.1
2022-09-23
Node.Js · Node.Js · CVE-2022-35255
**Name of the Vulnerable Software and Affected Versions** Node.js version 18 **Description** A weak randomness issue exists in the WebCrypto keygen due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto keygen.cc. There are two main problems: 1. The return value of EntropySource() is not checked, assuming it always succeeds, but it can fail. 2. The random data returned by EntropySource() may not be cryptographically strong, making it unsuitable as keying material. **Recommendations** For Node.js version 18, consider disabling the use of WebCrypto keygen until a patch is available to address the weak randomness issue. Restrict access to the affected `EntropySource()` function to minimize the risk of exploitation. Avoid using the `SecretKeyGenTraits::DoKeyGen()` function in src/crypto/crypto keygen.cc until the issue is resolved.