CVE-2015-5380

Google V8 <0.12.6, io.js <1.8.3, 2.x <2.3.3 - Memory Corruption

Title source: llm

Description

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.

References (5)

[Various Sources] https://medium.com/%40iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852

[Patch] http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/

[Patch] https://codereview.chromium.org/1226493003

[Issue Tracking] https://github.com/joyent/node/issues/25583

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/75556

Scores

EPSS 0.0062

EPSS Percentile 69.7%

Classification

CWE

CWE-119

Status draft

Affected Products (12)

google/v8

iojs/io.js < 1.8.2

iojs/io.js

iojs/io.js

iojs/io.js

iojs/io.js

iojs/io.js

iojs/io.js

iojs/io.js

iojs/io.js

iojs/io.js

nodejs/node.js < 0.12.5

Timeline

Published Jul 09, 2015

Tracked Since Feb 18, 2026