Natively Pronounced Mandarin
Severity: moderate

Remote Memory Exposure



Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure.

Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.


Update to version 4.3.6, 3.8.39 or later.

Advisory timeline

  1. published

    Advisory published
    Apr 25th, 2018
  2. reported

    Apr 24th, 2018