CVE-2020-8277

HIGH LAB

Node.js <15.2.1, <14.15.1, <12.19.1 - DoS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-8277. PoCs published by masahiro331, AndrewIjano.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2020-8277, a DoS vulnerability in Node.js caused by a read out-of-bounds error when resolving a hostname with a large number of DNS records. The exploit uses a Dockerized BIND server to simulate the malicious DNS response and a Node.js script to trigger the vulnerability.

Description

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.

Exploits (2)

nomisec WORKING POC 8 stars
by masahiro331 · poc
https://github.com/masahiro331/CVE-2020-8277

This repository contains a functional PoC for CVE-2020-8277, a DoS vulnerability in Node.js caused by a read out-of-bounds error when resolving a hostname with a large number of DNS records. The exploit uses a Dockerized BIND server to simulate the malicious DNS response and a Node.js script to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Node.js < v15.2.1
No auth needed
Prerequisites: Docker to run the BIND server · Node.js < v15.2.1 for the vulnerable environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by AndrewIjano · poc
https://github.com/AndrewIjano/CVE-2020-8277

This repository contains a functional PoC for CVE-2020-8277, a DoS vulnerability in Node.js caused by a read out-of-bounds error when resolving a hostname with a large number of DNS records. The PoC includes a DNS server setup and a Node.js server to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Node.js < v15.2.1
No auth needed
Prerequisites: Docker for DNS server setup · Node.js < v15.2.1
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (13)

Core 13
Core References
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1033107
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202012-11
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202101-07
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 7.5
EPSS 0.5416
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull internetsystemsconsortium/bind9:9.11

Details

CWE
CWE-400
Status published
Products (14)
c-ares_project/c-ares < 1.16.0
fedoraproject/fedora 32
fedoraproject/fedora 33
nodejs/node.js 12.16.3 - 12.19.1
nodejs/node.js 15.0.0 - 15.2.1
oracle/blockchain_platform < 21.1.2
oracle/graalvm 19.3.4
oracle/graalvm 20.3.0
oracle/jd_edwards_enterpriseone_tools < 9.2.6.0
oracle/mysql_cluster < 8.0.23
... and 4 more
Published Nov 19, 2020
Tracked Since Feb 18, 2026