Skip to content

Remote Memory Exposure in bl

high severity GitHub Reviewed Published Sep 2, 2020 • Updated May 10, 2021

Package

npm bl (npm)

Affected versions

= 3.0.0
>= 4.0.0, < 4.0.3
< 1.2.3
>= 2.0.0, < 2.2.1

Patched versions

3.0.1
4.0.3
1.2.3
2.2.1

Description

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

References

CVE ID

CVE-2020-8244

CVSS Score

6.5 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L