CVE-2015-5380

2015-07-0910:59:00

CWE-119

[email protected]

web.nvd.nist.gov

cve-2015-5380

memory corruption

google v8

node.js

io.js

utf-16

surrogate pair

denial of service

nvd

7.2 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

81.0%

JSON

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.

CPENameOperatorVersion
google:v8google v8eq-
iojs:io.jsiojs io.jseq2.0.0
iojs:io.jsiojs io.jseq2.3.2
iojs:io.jsiojs io.jseq2.0.2
iojs:io.jsiojs io.jseq2.2.0
iojs:io.jsiojs io.jseq2.0.1
iojs:io.jsiojs io.jseq2.1.0
iojs:io.jsiojs io.jseq2.3.1
iojs:io.jsiojs io.jseq2.3.0
iojs:io.jsiojs io.jsle1.8.2

CPE	Name	Operator	Version
google:v8	google v8	eq	-
iojs:io.js	iojs io.js	eq	2.0.0
iojs:io.js	iojs io.js	eq	2.3.2
iojs:io.js	iojs io.js	eq	2.0.2
iojs:io.js	iojs io.js	eq	2.2.0
iojs:io.js	iojs io.js	eq	2.0.1
iojs:io.js	iojs io.js	eq	2.1.0
iojs:io.js	iojs io.js	eq	2.3.1
iojs:io.js	iojs io.js	eq	2.3.0
iojs:io.js	iojs io.js	le	1.8.2