Skip to content

Use-After-Free in puppeteer

Moderate severity GitHub Reviewed Published Sep 2, 2020 • Updated Sep 27, 2021

Package

npm puppeteer (npm)

Affected versions

< 1.13.0

Patched versions

1.13.0

Description

Versions of puppeteer prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium (CVE-2019-5786). The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution.

Recommendation

Upgrade to version 1.13.0 or later.

References

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2019-5786

GHSA ID

GHSA-c2gp-86p4-5935
Checking history
See something to contribute? Suggest improvements for this vulnerability.