CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
81.1%
The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in
Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x
before 2.3.3, and other products, does not verify that there is memory
available for a UTF-16 surrogate pair, which allows remote attackers to
cause a denial of service (memory corruption) or possibly have unspecified
other impact via a crafted byte sequence.
Author | Note |
---|---|
msalvatore | Does not affect Node.js before 0.12.0 |
blog.nodejs.org/2015/07/03/node-v0-12-6-stable/
www.openwall.com/lists/oss-security/2015/07/05/1
codereview.chromium.org/1226493003
github.com/joyent/node/issues/25583
launchpad.net/bugs/cve/CVE-2015-5380
medium.com/@iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852
nvd.nist.gov/vuln/detail/CVE-2015-5380
security-tracker.debian.org/tracker/CVE-2015-5380
www.cve.org/CVERecord?id=CVE-2015-5380