Description
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
References (6)
Core 6
Core References
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21684769
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/61260
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2014-0516.html
Exploit x_refsource_confirm
https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
Patch, Vendor Advisory x_refsource_confirm
http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:142
Scores
EPSS
0.0126
EPSS Percentile
79.7%
Details
CWE
CWE-119
Status
published
Products (50)
nodejs/nodejs
0.8.0
nodejs/nodejs
0.8.1
nodejs/nodejs
0.8.2
nodejs/nodejs
0.8.3
nodejs/nodejs
0.8.4
nodejs/nodejs
0.8.5
nodejs/nodejs
0.8.6
nodejs/nodejs
0.8.7
nodejs/nodejs
0.8.8
nodejs/nodejs
0.8.9
... and 40 more
Published
Sep 05, 2014
Tracked Since
Feb 18, 2026