Natively Pronounced Mandarin
Severity: moderate

Remote Memory Exposure

mongoose

Overview

Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure.

Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.

Remediation

Update to version 4.3.6, 3.8.39 or later.

Advisory timeline

  1. published

    Advisory published
    Apr 25th, 2018
  2. reported

    Apr 24th, 2018