CVE-2018-7167
HIGHNode.js 6.9.0-6.14.2 and 9.0.0-9.11.1 - Denial of Service via Buffer.fill() or Buffer.alloc()
Title source: llmDescription
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106363
Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-48
Scores
CVSS v3
7.5
EPSS
0.0076
EPSS Percentile
73.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-119
Status
published
Products (2)
nodejs/node.js
6.9.0 - 6.14.3
nodejs/node.js
9.0.0 - 9.11.2
Published
Jun 13, 2018
Tracked Since
Feb 18, 2026