Miggo Logo
Miggo Vulnerability Database
CVE-2024-21521

CVE-2024-21521: @discordjs/opus vulnerable to Denial of Service

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-21521
GHSA ID
GHSA-43wq-xrcm-3vgr
EPSS Score
0.5043%
CWE
CWE-20
Published
7/10/2024
Updated
7/31/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
@discordjs/opusnpm<= 0.9.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation in functions that convert arguments to numbers using ToNumber() without type checking. The PoC demonstrates crashes when passing objects with toString properties to these functions. All four functions shown in the node-opus.cc code (constructor, setBitrate, applyEncoderCTL, applyDecoderCTL) exhibit this pattern of unsafe input handling, matching the advisory's description of multiple vulnerable entry points. The direct correlation between PoC test cases and function implementations confirms their vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** @*is*or*js/opus *r* vuln*r**l* to **ni*l o* S*rvi** (*oS) *u* to provi*in* *n input o*j**t wit* * prop*rty toStrin* to s*v*r*l *i***r*nt *un*tions. *xploitin* t*is vuln*r**ility *oul* l*** to * pro**ss *r*s*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in *un*tions t**t *onv*rt *r*um*nts to num**rs usin* `ToNum**r()` wit*out typ* ****kin*. T** Po* **monstr*t*s *r*s**s w**n p*ssin* o*j**ts wit* `toStrin*` prop*rti*s to t**s* *un*tions. *ll *our