Whether V8: CVE-2024-3159 and V8: CVE-2024-3156 have impact on the use of nodejs ？

[yansf]

Version
21.7.2

Platform
No response

Subsystem
No response

What steps will reproduce the bug?
No response

How often does it reproduce? Is there a required condition?
No response

What is the expected behavior? Why is that the expected behavior?
No response

What do you see instead?
Hi colleague,

In recent BDBA scan, there are two CVE:
CVE-2024-3159
CVE-2024-3156

detected in node.js.
According to the description of above, it was detected in V8 in Google Chrome. Here we would like to further confirm whether it is true positive in node.js or not.

Additional information
3159: Out of bounds memory access in V8 in Google Chrome prior to 123.0.6312.105 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
3156: Inappropriate implementation in V8 in Google Chrome prior to 123.0.6312.105 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Best regards,
Shaofeng

[mhdawson]

@targos I think you have access to the actual chromium disclosures to take a look?

[targos]

Both just need plain JS code to be triggered.

[mhdawson]

@targos which I think means they are outside of the Node.js threat model because we trust the code you ask Node.js to run, right?

[targos]

yes

[zjhua2002]

@targos given chromium has fixed them in v8 and node.js has v8 code, I am not sure whether node.js applied those fixed of v8 from chromium. Pls. kindly advise further.