Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv_idnatoascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "1.34.2-1ubuntu1.3", "binary_name": "libuv1" }, { "binary_version": "1.34.2-1ubuntu1.3", "binary_name": "libuv1-dbgsym" }, { "binary_version": "1.34.2-1ubuntu1.3", "binary_name": "libuv1-dev" } ] }