CVE-2021-39131: Improper Handling of Unexpected Data Type in ced
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62544%
CWE
Published
8/23/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ced | npm | < 1.0.0 | 1.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the main exported function in index.js
which directly passed user input to a native binding without validation. The patch added a Buffer.isBuffer()
check in this function, confirming this was the vulnerable entry point. The proof of concept shows the crash occurs when passing req.body
(which might be a string) to ced()
, matching the unvalidated function's behavior.