Node.js team assessment of CVE-2021-21148

Skip to first unread message


Feb 10, 2021, 8:51:09 AM2/10/21
to nodejs-sec

Based on internal discussion and consultation with the V8 team, we believe that Node.js is NOT affected by CVE-2021-21148. This assessment assumes that the code passed to the Node.js runtime is trusted and secure, which is always an assumption of the Node.js security model.

Irrespective of Node.js not being affected, we will consider pulling in the patch from V8 as part of the regular ongoing release process. The patch has already been released in Node.js 14.15.5. As of this writing, it has not been released in Node.js 15.x or any releases earlier than 14.15.5.

Reply all
Reply to author
0 new messages