GHSA-rvgf-69j7-xh78
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rvgf-69j7-xh78
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rvgf-69j7-xh78/GHSA-rvgf-69j7-xh78.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rvgf-69j7-xh78
- Aliases
- Published
- 2022-06-18T00:00:20Z
- Modified
- 2025-05-30T20:44:36.856436Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Uncontrolled Resource Consumption in @discordjs/opus
- Details
-
Improperly handled errors in @discordjs/opus cause hard crashes instead of returning the error to user land. All versions of package @discordjs/opus (<= 0.7.0) are vulnerable to Denial of Service (DoS) when trying to encode using an encoder with zero channels, or a non-initialized buffer. This leads to a hard crash due to improperly returning the errors from the invalid inputs.
As of version 0.8.0, the errors are correctly returned to the user and are no longer throwing hard crashes that cannot be recovered.
- Database specific
{ "nvd_published_at": "2022-06-17T20:15:00Z", "cwe_ids": [ "CWE-908" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-06-20T22:30:01Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-25345
- https://github.com/discordjs/opus/commit/406249f3fca484a2af97a34ceb989019efa09bc7
- https://github.com/discordjs/opus
- https://github.com/discordjs/opus/blob/3ca4341ffdd81cf83cec57045e59e228e6017590/src/node-opus.cc#L28
- https://github.com/discordjs/opus/releases/tag/v0.8.0
- https://snyk.io/vuln/SNYK-JS-DISCORDJSOPUS-2403100
Affected packages
npm / @discordjs/opus
Package
- Name
- @discordjs/opus
- View open source insights on deps.dev
- Purl
- pkg:npm/%40discordjs/opus