CVE-2021-45701

Name of the Vulnerable Software and Affected Versions: tremor-script versions prior to 0.11.6

Description: The issue is related to a use-after-free error in the tremor-script crate. It affects the tremor-script language constructs, specifically Merge and Patch, where the result is assigned back to the target expression and the expression to be merged or the patch operations need to reference the event. The optimization to manipulate the target value in-place, instead of cloning it, was considered safe as long as it was only possible to merge or patch event data or static data. However, when state was introduced to tremor-script, a new possibility existed to keep Value data around for longer than the lifetime of an event, allowing access to already freed regions of memory.

Recommendations: For versions prior to 0.11.6, consider upgrading to version 0.11.6 or later, where the flaw was corrected by removing the optimization and always cloning the target expression of a Merge or Patch. As a temporary workaround, avoid the optimization by introducing a temporary variable and not immediately reassigning to state, for example:

let tmp = merge state of event end;
let state = tmp