CVE-2024-21522

HIGH

NPM Audify - Improper Array Index Validation

Title source: rule

Description

All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is provided to the new OpusDecoder().decode or new OpusDecoder().decodeFloat functions it is not checked for negative values. This can lead to a process crash.

References (4)

[Various Sources] https://gist.github.com/dellalibera/6bb866ae5d1cc2adaabe27bbd6d2d21e

[Various Sources] https://github.com/almoghamdani/audify/blob/94b2fe79dc528fda2c7d59c7a0fd0e9de07dc3dc/src/opus_decoder.cpp%23L53

[Various Sources] https://github.com/almoghamdani/audify/blob/94b2fe79dc528fda2c7d59c7a0fd0e9de07dc3dc/src/opus_decoder.cpp%23L79

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-AUDIFY-6370700

Scores

CVSS v3 7.5

EPSS 0.0029

EPSS Percentile 52.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-129

Status published

Products (2)

n/a/audify

npm/audify 0npm

Published Jul 10, 2024

Tracked Since Feb 18, 2026