Unrated severityNVD Advisory· Published Aug 16, 2021· Updated Apr 30, 2025

CVE-2021-22931

Description

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Affected products

Node.js/Node.jsv5
Range: 4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.gentoo.org/glsa/202401-02mitrevendor-advisory
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitre
hackerone.com/reports/1178337mitre
nodejs.org/en/blog/vulnerability/aug-2021-security-releases/mitre
security.netapp.com/advisory/ntap-20210923-0001/mitre
security.netapp.com/advisory/ntap-20211022-0003/mitre
www.oracle.com/security-alerts/cpujan2022.htmlmitre
www.oracle.com/security-alerts/cpujul2022.htmlmitre
www.oracle.com/security-alerts/cpuoct2021.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000