CVE-2024-21522

HIGH

audify - Denial of Service via Negative frameSize in OpusDecoder

Title source: llm

Description

All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is provided to the new OpusDecoder().decode or new OpusDecoder().decodeFloat functions it is not checked for negative values. This can lead to a process crash.

References (4)

Core 4

Core References

Various Sources

https://gist.github.com/dellalibera/6bb866ae5d1cc2adaabe27bbd6d2d21e

Various Sources

https://github.com/almoghamdani/audify/blob/94b2fe79dc528fda2c7d59c7a0fd0e9de07dc3dc/src/opus_decoder.cpp%23L53

Various Sources

https://github.com/almoghamdani/audify/blob/94b2fe79dc528fda2c7d59c7a0fd0e9de07dc3dc/src/opus_decoder.cpp%23L79

Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-AUDIFY-6370700

Scores

CVSS v3 7.5

EPSS 0.0061

EPSS Percentile 44.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-129

Status published

Products (2)

n/a/audify

npm/audify 0npm

Published Jul 10, 2024

Tracked Since Feb 18, 2026