High severityOSV Advisory· Published Jul 10, 2024· Updated Aug 1, 2024
CVE-2024-21524
CVE-2024-21524
Description
All versions of the package node-stringbuilder are vulnerable to Out-of-bounds Read due to incorrect memory length calculation, by calling ToBuffer, ToString, or CharAt on a StringBuilder object with a non-empty string value input. It's possible to return previously allocated memory, for example, by providing negative indexes, leading to an Information Disclosure.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-stringbuildernpm | <= 2.2.7 | — |
Affected products
1- Range: v1.0.0, v1.1.0, v1.3.0, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-g533-xq5w-jmf3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21524ghsaADVISORY
- gist.github.com/dellalibera/0bb022811224f81d998fa61c3175ee67ghsaWEB
- github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.cghsaWEB
- security.snyk.io/vuln/SNYK-JS-NODESTRINGBUILDER-6421617ghsaWEB
- github.com/magiclen/node-stringbuilder/blob/5c2797d3d6bf8cb6d10fe1e077609cef9a5a7de0/src/node-stringbuilder.c%23L1281mitre
News mentions
0No linked articles in our index yet.