CVE-2018-3745
Description
atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
atob versions before 2.1.0 on Node.js 4.x and below allocate uninitialized Buffers when a number is passed, leading to potential information disclosure.
Vulnerability
The atob npm package (base64 decoding) in versions prior to 2.1.0 (including 2.0.3 and earlier) contains an out-of-bounds read vulnerability. When a number is passed as input on Node.js 4.x and below, the function allocates uninitialized Buffer objects, which may contain sensitive data from previous memory allocations. [1][2]
Exploitation
An attacker can trigger the vulnerability by providing a numeric argument to the atob function. No authentication or special privileges are required if the function is exposed to user-supplied input. The uninitialized Buffer is then returned, potentially leaking memory contents. [1][2]
Impact
Successful exploitation results in information disclosure via out-of-bounds read. An attacker may obtain sensitive data from the Node.js process memory, such as cryptographic keys, passwords, or other confidential information. [2]
Mitigation
Upgrade to atob version 2.1.0 or later, which fixes the issue by properly initializing buffers. No workarounds are documented. [2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
atobnpm | < 2.1.0 | 2.1.0 |
Affected products
3- HackerOne/atob node modulev5Range: <=2.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.