| Name | CVE-2021-22918 |
| Description | Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-4936-1 |
| Debian Bugs | 990561 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libuv1 (PTS) | bullseye (security), bullseye | 1.40.0-2+deb11u1 | fixed |
| bookworm, bookworm (security) | 1.44.2-1+deb12u1 | fixed | |
| trixie, sid | 1.50.0-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libuv1 | source | stretch | (not affected) | |||
| libuv1 | source | buster | 1.24.1-1+deb10u1 | DSA-4936-1 | ||
| libuv1 | source | (unstable) | 1.40.0-2 | 990561 |
[stretch] - libuv1 <not-affected> (Vulnerable code added later)
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829