SNYK-JS-DNSPACKET-1293563

SNYK-JS-DNSPACKET-1293563 PUBLISHED CVSS 7.699999809265137 HIGH

## Overview [dns-packet](https://www.npmjs.com/package/dns-packet) is an An abstract-encoding compliant module for encoding / decoding DNS packets Affected versions of this package are vulnerable to Remote Memory Exposure. It creates buffers with `allocUnsafe` and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names. ## Remediation Upgrade `dns-packet` to version 1.3.4, 5.2.4 or higher. ## References - [GitHub Commit](https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56) - [HackerOne Report](https://hackerone.com/bugs?subject=user&report_id=968858)

Risk Scores

CVSS v3.1

7.699999809265137

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

Affected Products

Vendor	Product	Versions
		0

Timeline

May 18, 2021 CVE Updated
May 20, 2021 CVE Published

References

https://security.snyk.io/vuln/SNYK-JS-DNSPACKET-1293563 advisory
https://www.npmjs.com/package/dns-packet vendor
https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56 patch
https://hackerone.com/bugs?subject=user&report_id=968858 technical

Open in Interactive Console →