CVE-2021-22931

Published: 8/16/2021 Last updated: 4/30/2025 Reserved: 1/6/2021

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

CNA assigner: hackerone (36234546-b8fa-4601-9d6f-f4e334aa8ea1) Requested by: n/a

Opam packages affected (1)

conf-npm

Products affected (1)

Product	Vendor	Version
Node	NodeJS	< b15fa9224e6e1239414525d8d556d824701849fc

References (18)

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
https://hackerone.com/reports/1178337
https://www.oracle.com/security-alerts/cpuoct2021.html
https://security.netapp.com/advisory/ntap-20210923-0001/
https://www.oracle.com/security-alerts/cpujan2022.html
https://security.netapp.com/advisory/ntap-20211022-0003/
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://www.oracle.com/security-alerts/cpujul2022.html
https://security.gentoo.org/glsa/202401-02
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
https://hackerone.com/reports/1178337
https://www.oracle.com/security-alerts/cpuoct2021.html
https://security.netapp.com/advisory/ntap-20210923-0001/
https://www.oracle.com/security-alerts/cpujan2022.html
https://security.netapp.com/advisory/ntap-20211022-0003/
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://www.oracle.com/security-alerts/cpujul2022.html
https://security.gentoo.org/glsa/202401-02