CVE-2018-7167

HIGH

Nodejs Node.js < 6.14.3 - Memory Corruption

Title source: rule

Description

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/106363

[Vendor Advisory] https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

[Third Party Advisory] https://security.gentoo.org/glsa/202003-48

Scores

CVSS v3 7.5

EPSS 0.0081

EPSS Percentile 74.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-119

Status published

Affected Products (2)

nodejs/node.js < 6.14.3

nodejs/node.js < 9.11.2

Timeline

Published Jun 13, 2018

Tracked Since Feb 18, 2026