5

CVSS Score

Basic Information

CVE ID

CVE-2016-10519

GHSA ID

GHSA-77g4-36jp-5v3m

EPSS Score

0.54157%

CWE

CWE-201

Published

9/1/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10519

CVE-2016-10519:
Remote Memory Disclosure in bittorrent-dht

Versions of bittorrent-dht prior to 5.1.3 are affected by a remote memory disclosure vulnerability. This vulnerability allows an attacker to send a specific series of of messages to a listening peer and get it to reveal internal memory.

There are two mitigating factors here, that slightly reduce the impact of this vulnerability:

Any modern kernel will zero out new memory pages before handing them off to a process. This means that only memory previously used and deallocated by the node process can be leaked.
Node.js manages Buffers by creating a few large internal SlowBuffers, and slicing them up into smaller Buffers which are made accessible in JS. They are not stored on V8's heap, because garbage collection would interfere. The result is that only memory that has been previously allocated as a Buffer can be leaked.

Recommendation

Update to version 5.1.3 or later.

(GitHub Advisory)

5

CVSS Score

Basic Information

CVE ID

CVE-2016-10519

GHSA ID

GHSA-77g4-36jp-5v3m

EPSS Score

0.54157%

CWE

CWE-201

Published

9/1/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bittorrent-dht	npm	< 5.1.3	5.1.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of node IDs in two key functions:

_addNode processes incoming node information without validating the nodeId type, allowing invalid inputs to reach Buffer creation
idToBuffer previously created Buffers from any input type using 'new Buffer(id, 'hex')', which when given non-string/non-Buffer inputs (like numbers/objects) would read from arbitrary memory addresses. The patches add type checks and null returns to prevent this. These functions would appear in stack traces when processing malicious messages due to their role in node ID validation and Buffer allocation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `*ittorr*nt-**t` prior to *.*.* *r* *****t** *y * r*mot* m*mory *is*losur* vuln*r**ility. T*is vuln*r**ility *llows *n *tt**k*r to s*n* * sp**i*i* s*ri*s o* o* m*ss***s to * list*nin* p**r *n* **t it to r*v**l int*rn*l m*mory. T**r* *r*

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* no** I*s in two k*y *un*tions: *. _***No** pro**ss*s in*omin* no** in*orm*tion wit*out v*li**tin* t** no**I* typ*, *llowin* inv*li* inputs to r**** *u***r *r**tion *. i*To*u***r pr*viously *r**t** *u*

5

Basic Information

Concerned about an active attack path?

CVE-2016-10519: Remote Memory Disclosure in bittorrent-dht

Recommendation

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2016-10519:
Remote Memory Disclosure in bittorrent-dht

Vulnerability Intelligence
Miggo AI