Node.js team assessment of CVE-2021-21148

390 views
Skip to first unread message

midawson

unread,
Feb 10, 2021, 8:51:09 AMFeb 10
to nodejs-sec

Based on internal discussion and consultation with the V8 team, we believe that Node.js is NOT affected by CVE-2021-21148. This assessment assumes that the code passed to the Node.js runtime is trusted and secure, which is always an assumption of the Node.js security model.

Irrespective of Node.js not being affected, we will consider pulling in the patch from V8 as part of the regular ongoing release process. The patch has already been released in Node.js 14.15.5. As of this writing, it has not been released in Node.js 15.x or any releases earlier than 14.15.5.

Reply all
Reply to author
Forward
0 new messages