Severity: moderate

Remote Memory Exposure



Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure.

Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.


Update to version 4.3.6, 3.8.39 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 25th, 2018
  2. reported

    Apr 24th, 2018