CVE-2023-26110

Vulnerability

Overview The node-bluetooth package, used for Bluetooth serial port communication in Node.js, is vulnerable to a buffer overflow across all versions. The flaw resides in the findSerialPortChannel method, which fails to properly validate the length of user-supplied input before processing [1][2]. This oversight allows an attacker to supply an excessively long string as the device address argument, triggering a buffer overflow.

Attack

Vector and Prerequisites The vulnerability is exploitable by passing a long string (e.g., over 1000 'a' characters) to the findSerialPortChannel method, as demonstrated in a proof-of-concept provided by Snyk [3]. No authentication is required because the vulnerable method can be called with any arbitrary address string. The attack surface is local to the process, but an attacker who can control the input to this method (for example, via a malicious Bluetooth device name or crafted external input) can trigger the overflow.

Impact

Successful exploitation of this buffer overflow can lead to memory corruption, potentially allowing arbitrary code execution or causing a denial of service (crash). Given that Node.js runs with the privileges of the user, the impact could include full system compromise if an attacker achieves code execution [3].

Mitigation

Status As of the publication date, no fixed version of node-bluetooth has been released [3]. Users are advised to avoid passing untrusted input to the findSerialPortChannel method, restrict access to the package, or seek alternative Bluetooth libraries for Node.js. The vulnerability is tracked in the Snyk database as SNYK-JS-NODEBLUETOOTH-3311821 [3].