CVE-2021-23386

HIGH

dns-packet <5.2.2 - Info Disclosure

Title source: llm

Description

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

References (4)

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719

[Permissions Required, Third Party Advisory] https://hackerone.com/bugs?subject=user&amp%3Breport_id=968858

[Patch, Third Party Advisory] https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56

View Patch ZIP pw:eip

Scores

CVSS v3 7.7

EPSS 0.0112

EPSS Percentile 78.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

Details

CWE

CWE-909

Status published

Products (2)

dns-packet_project/dns-packet < 1.3.4

npm/dns-packet 2.0.0 - 5.2.2npm

Published May 20, 2021

Tracked Since Feb 18, 2026