Description
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563
Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/bugs?subject=user&%3Breport_id=968858
Patch, Third Party Advisory x_refsource_misc
https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
Scores
CVSS v3
7.7
EPSS
0.0143
EPSS Percentile
69.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Details
CWE
CWE-909
Status
published
Products (2)
dns-packet_project/dns-packet
< 1.3.4
npm/dns-packet
2.0.0 - 5.2.2npm
Published
May 20, 2021
Tracked Since
Feb 18, 2026