CVE-2021-22931 vulnerability in nodejs and Other Products

CVE-2021-22931 vulnerability in nodejs and Other Products
Published on August 16, 2021

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Weakness Type

Improper Null Termination

The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. Null termination errors frequently occur in two different ways. An off-by-one error could cause a null to be written out of bounds, leading to an overflow. Or, a program could use a strncpy() function call incorrectly, which prevents a null terminator from being added at all. Other scenarios are possible.

Products Associated with CVE-2021-22931

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-22931 are published in these products:

Affected Versions

Version 4.0 and below 4.* is affected.

Version 5.0 and below 5.* is affected.

Version 6.0 and below 6.* is affected.

Version 7.0 and below 7.* is affected.

Version 8.0 and below 8.* is affected.

Version 9.0 and below 9.* is affected.

Version 10.0 and below 10.* is affected.

Version 11.0 and below 11.* is affected.

Version 12.0 and below 12.22.5 is affected.

Version 13.0 and below 13.* is affected.

Version 14.0 and below 14.17.5 is affected.

Version 15.0 and below 15.* is affected.

Version 16.0 and below 16.6.2 is affected.

Exploit Probability

EPSS

0.71%

Percentile

71.96%