Miggo Logo

CVE-2021-39131: Improper Handling of Unexpected Data Type in ced

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.62544%
Published
8/23/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cednpm< 1.0.01.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the main exported function in index.js which directly passed user input to a native binding without validation. The patch added a Buffer.isBuffer() check in this function, confirming this was the vulnerable entry point. The proof of concept shows the crash occurs when passing req.body (which might be a string) to ced(), matching the unvalidated function's behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In *** v*.*.*, p*ssin* **t* typ*s ot**r t**n `*u***r` **us*s t** No**.js pro**ss to *r*s*. ### P*t***s T** pro*l*m **s ***n p*t**** in [*** v*.*.*](*ttps://*it*u*.*om/soni**o*/***/r*l**s*s/t**/v*.*.*). You **n up*r*** *rom v*.*.* wit*ou

Reasoning

T** vuln*r**ility st*ms *rom t** m*in *xport** *un*tion in `in**x.js` w*i** *ir**tly p*ss** us*r input to * n*tiv* *in*in* wit*out v*li**tion. T** p*t** ***** * `*u***r.is*u***r()` ****k in t*is *un*tion, *on*irmin* t*is w*s t** vuln*r**l* *ntry poin