PT-2021-2037 · Node.Js+8 · Node.Js+8
Published
2020-01-24
·
Updated
2026-05-18
·
CVE-2020-8265
CVSS v2.0
9.4
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions:
Node.js versions prior to 10.23.1
Node.js versions prior to 12.20.1
Node.js versions prior to 14.15.4
Node.js versions prior to 15.5.1
Description:
The issue is related to a use-after-free bug in the TLS implementation of Node.js. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as the first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory, leading to a Denial of Service or potentially other exploits.Recommendations:
For Node.js versions prior to 10.23.1, update to version 10.23.1 or later.
For Node.js versions prior to 12.20.1, update to version 12.20.1 or later.
For Node.js versions prior to 14.15.4, update to version 14.15.4 or later.
For Node.js versions prior to 15.5.1, update to version 15.5.1 or later.
Exploit
Fix
DoS
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Linuxmint
Node.Js
Red Hat
Rocky Linux
Suse
Ubuntu