CVE-2023-26109

The vulnerability resides in the findSerialPortChannel method of the node-bluetooth-serial-port package. The method fails to validate the length of user-supplied input before processing it, leading to a buffer overflow [1][2]. This flaw affects all versions of the package.

Exploitation is straightforward: an attacker can invoke findSerialPortChannel with an excessively long string, as demonstrated in the proof-of-concept published by security researchers [3]. No special privileges are required; the attack can be delivered by any input mechanism that reaches the vulnerable method, such as network messages or user-supplied data in applications using the library.

A successful overflow can corrupt memory, potentially leading to arbitrary code execution within the context of the Node.js process. The impact is severe, as it could allow an attacker to gain full control over the affected system [2][3].

As of the advisory date, no patched version of the package exists. The GitHub repository notes that the package is a fork of an unmaintained upstream project, suggesting limited ongoing maintenance [1]. Users are advised to avoid using the findSerialPortChannel method with untrusted input or consider switching to alternative Bluetooth serial communication libraries.