Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)

I discovered a memory corruption vulnerability in Node.js's native UTF-8 string decoding path src/stringbytes.cc. When Buffer.prototype.toString'utf8' is called on a Buffer backed by a SharedArrayBuffer, the underlying native code performs a validate-then-convert sequence without copying the data...

SUSE CVE-2019-13067

njs through 0.3.3, used in NGINX, has a buffer over-read in nxtutf8decode in nxt/nxtutf8.c. This issue occurs after the fix for CVE-2019-12207 is in place...

Moddable SDK OS Security Vulnerability

Moddable SDK is a set of software development kits SDKs for IoT embedded software development from Moddable, Inc. in the United States. A security vulnerability exists in Moddable SDK versions prior to OS200908, which originates in the moddable/xs/sources/xsCommon.c:916 fxUTF8Decode function...

php: XSS mitigation bypass via utf8_decode()

The utf8decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting XSS and SQL injection protection mechanisms via a crafted string...