7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39131

GHSA ID

GHSA-27wq-qx3q-fxm9

EPSS Score

0.62544%

CWE

CWE-241

Published

8/23/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-39131

CVE-2021-39131: Improper Handling of Unexpected Data Type in ced

Impact

In ced v0.1.0, passing data types other than Buffer causes the Node.js process to crash.

Patches

The problem has been patched in ced v1.0.0. You can upgrade from v0.1.0 without any breaking changes.

Workarounds

Before passing an argument to ced, verify it’s a Buffer using Buffer.isBuffer(obj).

CVSS score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C

Base Score: 7.5 (High) Temporal Score: 7.2 (High)

Since ced is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, accepting data from untrusted sources over a network and passing it directly to ced. Depending on your specific implementation, the vulnerability’s severity in your program may be different.

Proof of concept

const express = require("express");
const bodyParser = require("body-parser");
const ced = require("ced");

const app = express();

app.use(bodyParser.raw());

app.post("/", (req, res) => {
  const encoding = ced(req.body);

  res.end(encoding);
});

app.listen(3000);

curl --request POST --header "Content-Type: text/plain" --data foo http://localhost:3000 crashes the server.

References

https://github.com/sonicdoe/ced/commit/a4d9f10b6bf1cd468d1a5b9a283cdf437f8bb7b3

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39131

GHSA ID

GHSA-27wq-qx3q-fxm9

EPSS Score

0.62544%

CWE

CWE-241

Published

8/23/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ced	npm	< 1.0.0	1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the main exported function in index.js which directly passed user input to a native binding without validation. The patch added a Buffer.isBuffer() check in this function, confirming this was the vulnerable entry point. The proof of concept shows the crash occurs when passing req.body (which might be a string) to ced(), matching the unvalidated function's behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In *** v*.*.*, p*ssin* **t* typ*s ot**r t**n `*u***r` **us*s t** No**.js pro**ss to *r*s*. ### P*t***s T** pro*l*m **s ***n p*t**** in [*** v*.*.*](*ttps://*it*u*.*om/soni**o*/***/r*l**s*s/t**/v*.*.*). You **n up*r*** *rom v*.*.* wit*ou

Reasoning

T** vuln*r**ility st*ms *rom t** m*in *xport** *un*tion in `in**x.js` w*i** *ir**tly p*ss** us*r input to * n*tiv* *in*in* wit*out v*li**tion. T** p*t** ***** * `*u***r.is*u***r()` ****k in t*is *un*tion, *on*irmin* t*is w*s t** vuln*r**l* *ntry poin

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-39131: Improper Handling of Unexpected Data Type in ced

Impact

Patches

Workarounds

CVSS score

Proof of concept

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI