Description
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
References (9)
Core 9
Core References
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202401-02
Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/1178337
Patch, Vendor Advisory
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210923-0001/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211022-0003/
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Scores
CVSS v3
9.8
EPSS
0.0066
EPSS Percentile
71.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-170
CWE-20
Status
published
Products (14)
netapp/active_iq_unified_manager
(2 CPE variants)
netapp/nextgen_api
netapp/oncommand_insight
netapp/oncommand_workflow_automation
netapp/snapcenter
nodejs/node.js
12.0.0 - 12.12.0
nodejs/node.js
12.13.0 - 12.22.5
oracle/graalvm
20.3.3
oracle/graalvm
21.2.0
oracle/mysql_cluster
< 8.0.26
... and 4 more
Published
Aug 16, 2021
Tracked Since
Feb 18, 2026