CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
90.0%
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the
possibility of recursive processing that triggers V8 garbage collection in
conjunction with a V8 interrupt, which allows remote attackers to cause a
denial of service (memory corruption and application crash) via deep JSON
objects whose parsing lets this interrupt mask an overflow of the program
stack.
Author | Note |
---|---|
mdeslaur | CVE is for nodejs, but nodejs package uses system libv8 |
mikesalvatore | The Ubuntu Security Team does not support libv8 |