Unrated severityNVD Advisory· Published Jan 6, 2021· Updated Apr 30, 2025
CVE-2020-8265
CVE-2020-8265
Description
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
22- osv-coords20 versionspkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2
>= 10.0.0, < 10.23.1+ 19 more
- (no CPE)range: >= 10.0.0, < 10.23.1
- (no CPE)range: >= 10.0.0, < 10.23.1
- (no CPE)range: < 1.18.3-1.module_el8.3.0+2023+d2377ea3
- (no CPE)range: < 17-3.module_el8.4.0+2224+b07ac28e
- (no CPE)range: < 10.23.1-lp151.2.15.1
- (no CPE)range: < 10.23.1-lp152.2.9.1
- (no CPE)range: < 12.20.1-lp152.3.9.1
- (no CPE)range: < 14.15.4-lp152.5.1
- (no CPE)range: < 14.17.5-1.2
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.33.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 12.20.1-1.26.1
- (no CPE)range: < 12.20.1-4.10.1
- (no CPE)range: < 14.15.4-6.6.1
- (no CPE)range: < 14.15.4-5.6.1
Patches
Vulnerability mechanics
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202101-07mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2021/dsa-4826mitrevendor-advisoryx_refsource_DEBIAN
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitrex_refsource_CONFIRM
- hackerone.com/reports/988103mitrex_refsource_MISC
- nodejs.org/en/blog/vulnerability/january-2021-security-releases/mitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20210212-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujan2021.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.