CVE-2021-23386: Potential memory exposure in dns-packet
7.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.52853%
CWE
Published
5/24/2021
Updated
2/12/2025
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
dns-packet | npm | < 1.3.2 | 1.3.2 |
dns-packet | npm | >= 2.0.0, < 5.2.2 | 5.2.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from incorrect buffer size calculation in name.encodingLength
, which was patched in commits 25f15dd and 0d0d593. The original implementation used Buffer.byteLength(n)
without sanitizing input domain names, causing buffers allocated with allocUnsafe
to have uninitialized regions. The patches explicitly trim domain names before size calculation, confirming this function's role in the vulnerability. The function's output directly influences buffer allocation, making it the root cause of memory exposure.