Description
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101881
Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/release/v8.8.0/
Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/release/v6.11.5/
Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/release/v4.8.5/
Scores
CVSS v3
7.5
EPSS
0.0078
EPSS Percentile
74.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (23)
nodejs/node.js
4.8.2
nodejs/node.js
4.8.3
nodejs/node.js
4.8.4
nodejs/node.js
6.10.2
nodejs/node.js
6.10.3
nodejs/node.js
6.11.0
nodejs/node.js
6.11.1
nodejs/node.js
6.11.2
nodejs/node.js
6.11.3
nodejs/node.js
6.11.4
... and 13 more
Published
Oct 30, 2017
Tracked Since
Feb 18, 2026