Platform
nodejs
Component
dns-packet
Fixed in
5.2.2
5.2.2
CVE-2021-23386 affects the dns-packet package for Node.js, specifically versions prior to 1.3.2 and 5.2.2. This vulnerability arises from the package's use of allocUnsafe to create buffers without consistently filling them before constructing network packets. Consequently, querying crafted, invalid domain names can expose internal application memory over unencrypted network connections, potentially leading to data leakage.
The primary impact of CVE-2021-23386 is the potential for attackers to extract sensitive information from the application's memory. By sending specially crafted, invalid domain names, an attacker can trigger the vulnerability and observe the contents of the uninitialized buffer. This could include API keys, database credentials, or other confidential data stored in memory. The lack of encryption during network transmission further exacerbates the risk, as the exposed data is vulnerable to eavesdropping. While direct remote code execution is unlikely, the extracted data could be used for further attacks, such as privilege escalation or data breaches.
CVE-2021-23386 was publicly disclosed on May 24, 2021. While no active exploitation campaigns have been definitively linked to this CVE, the ease of crafting malicious domain names suggests a potential for opportunistic attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of exploiting the vulnerability.
Exploit Status
EPSS
1.11% (78% percentile)
CVSS Vector
The recommended mitigation for CVE-2021-23386 is to upgrade the dns-packet package to version 5.2.2 or later. This version includes a fix that ensures buffers are properly filled before being used to construct network packets, preventing the memory exposure vulnerability. If upgrading is not immediately feasible, consider implementing a WAF rule to filter out requests containing potentially malicious or invalid domain names. Monitoring network traffic for unusual patterns or unexpected data transmissions can also help detect potential exploitation attempts. After upgrading, confirm the fix by sending a crafted invalid domain name query and verifying that no sensitive memory contents are exposed in the network traffic.
Update the dns-packet package to version 5.2.2 or higher. This corrects the memory exposure vulnerability by ensuring that buffers are filled correctly before forming network packets. Run `npm install dns-packet@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-23386 is a vulnerability in the dns-packet package for Node.js where crafted domain names can expose internal memory over unencrypted networks. It's rated HIGH severity (CVSS 7.7).
You are affected if you are using dns-packet versions before 1.3.2 or 5.2.2. Check your installed version using npm list dns-packet.
Upgrade the dns-packet package to version 5.2.2 or later using npm install [email protected].
While no confirmed active exploitation campaigns are publicly known, the availability of a public proof-of-concept suggests a potential for opportunistic attacks.
Refer to the dns-packet project's GitHub repository for information and updates: https://github.com/felixfan/dns-packet
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.