Miggo Logo
Miggo Vulnerability Database
CVE-2021-23386

CVE-2021-23386: Potential memory exposure in dns-packet

7.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-23386
GHSA ID
GHSA-3wcq-x3mq-6r9p
EPSS Score
0.52853%
CWE
CWE-200
Published
5/24/2021
Updated
2/12/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
dns-packetnpm< 1.3.21.3.2
dns-packetnpm>= 2.0.0, < 5.2.25.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incorrect buffer size calculation in name.encodingLength, which was patched in commits 25f15dd and 0d0d593. The original implementation used Buffer.byteLength(n) without sanitizing input domain names, causing buffers allocated with allocUnsafe to have uninitialized regions. The patches explicitly trim domain names before size calculation, confirming this function's role in the vulnerability. The function's output directly influences buffer allocation, making it the root cause of memory exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** *ns-p**k*t ***or* v*rsions *.*.* *n* *.*.*. It *r**t*s *u***rs wit* *llo*Uns*** *n* *o*s not *lw*ys *ill t**m ***or* *ormin* n*twork p**k*ts. T*is **n *xpos* int*rn*l *ppli**tion m*mory ov*r un*n*rypt** n*twork w**n qu*ryin*

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t *u***r siz* **l*ul*tion in `n*m*.*n*o*in*L*n*t*`, w*i** w*s p*t**** in *ommits ******* *n* *******. T** ori*in*l impl*m*nt*tion us** `*u***r.*yt*L*n*t*(n)` wit*out s*nitizin* input *om*in n*m*s, **usin* *u***rs