CVE-2017-15897

LOW

Node.js <9.X - Buffer Overflow

Title source: llm

Description

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

References (1)

[Issue Tracking, Vendor Advisory] https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

Scores

CVSS v3 3.1

EPSS 0.0049

EPSS Percentile 65.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-665

Status draft

Affected Products (2)

nodejs/node.js < 8.8.1

nodejs/node.js < 8.9.3

Timeline

Published Dec 11, 2017

Tracked Since Feb 18, 2026