Out-of-bounds Read

Vulnerability

Overview The fast-string-search package, which provides fast substring search using N-API and the Boyer-Moore algorithm, is vulnerable to an out-of-bounds read in all versions. The root cause lies in incorrect memory freeing and length calculation when a non-string value is passed as the source argument to functions such as indexOf [1][3]. This flaw occurs because the internal C++ code does not properly validate the type of the input, leading to improper memory management.

Exploitation

Details An attacker can trigger the vulnerability by passing a numeric or other non-string value as the source parameter. No authentication is required—the attack surface is limited to any application that uses fast-string-search with unsanitized input. The Snyk advisory includes a proof-of-concept: calling fss.indexOf(1, "9") after a legitimate search may return indices from the previous string, demonstrating memory leakage [3].

Impact

Successful exploitation allows an attacker to read previously allocated memory, potentially leaking sensitive data such as passwords, tokens, or other confidential information. The impact is limited to memory disclosure; arbitrary code execution is not directly possible via this vulnerability.

Mitigation

Status As of this writing, there is no patched version of fast-string-search. The project appears to be unmaintained, and users should migrate to alternative libraries (e.g., the built-in String.prototype.indexOf or Buffer.indexOf) to eliminate the risk [3].