Windows 10 console output buffer overflow (libuv CVE-2016-9551)

430 views
Skip to first unread message

Rod Vagg

unread,
Nov 23, 2016, 5:38:56 AM11/23/16
to nodejs-sec

Please be aware that Node.js v7.2.0 was released today and includes a small security update arising from libuv: https://nodejs.org/en/blog/release/v7.2.0/

libuv v1.10.1 reverts a change that was introduced in v1.10.0, included in Node.js v7.1.0. The reverted code was found to contain a potential buffer overflow in output written to the console. We are not aware of any exploit of this flaw and it only impacts Windows 10 (November update and later). This flaw has been assigned the identifier CVE-2016-9551 and was originally discovered and reported by Hitesh Kanwathirtha of Microsoft.

Users of the v7 release line running on Windows 10 should upgrade to Node.js v7.2.0 at their earliest convenience.

No other version of Node.js is known to be impacted by this flaw.

Reply all
Reply to author
Forward
0 new messages