{"api_version":"1","generated_at":"2026-04-23T00:37:31+00:00","cve":"CVE-2018-7167","urls":{"html":"https://cve.report/CVE-2018-7167","api":"https://cve.report/api/cve/CVE-2018-7167.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-7167","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-7167"},"summary":{"title":"CVE-2018-7167","description":"Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS \"Boron\"), 8.x (LTS \"Carbon\"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.","state":"PUBLIC","assigner":"cve-request@iojs.org","published_at":"2018-06-13 16:29:00","updated_at":"2022-08-29 20:24:00"},"problem_types":["CWE-119"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/106363","name":"106363","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Node.js Multiple Denial of Service Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/","name":"https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"June 2018 Security Releases | Node.js","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202003-48","name":"GLSA-202003-48","refsource":"GENTOO","tags":[],"title":"Node.js: Multiple vulnerabilities (GLSA 202003-48) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-7167","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7167","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"7167","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"7167","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"7167","vulnerable":"1","versionEndIncluding":"6.14.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"7167","vulnerable":"1","versionEndIncluding":"8.11.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"7167","vulnerable":"1","versionEndIncluding":"9.11.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-7167","qid":"500449","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2018-7167","qid":"504215","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2018-7167","qid":"900064","title":"CBL-Mariner Linux Security Update for nodejs 8.11.4"},{"cve":"CVE-2018-7167","qid":"902900","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (4293)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve-request@iojs.org","DATE_PUBLIC":"2018-06-12T00:00:00","ID":"CVE-2018-7167","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Node.js","version":{"version_data":[{"version_value":"6.x+"},{"version_value":"8.x+"},{"version_value":"9.x+"},{"version_value":"10.x+"}]}}]},"vendor_name":"The Node.js Project"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS \"Boron\"), 8.x (LTS \"Carbon\"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Denial of Service"}]}]},"references":{"reference_data":[{"name":"106363","refsource":"BID","url":"http://www.securityfocus.com/bid/106363"},{"name":"https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/","refsource":"CONFIRM","url":"https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"},{"refsource":"GENTOO","name":"GLSA-202003-48","url":"https://security.gentoo.org/glsa/202003-48"}]}},"nvd":{"publishedDate":"2018-06-13 16:29:00","lastModifiedDate":"2022-08-29 20:24:00","problem_types":["CWE-119"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"8.9.0","versionEndExcluding":"8.11.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.11.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartExcluding":"6.9.0","versionEndExcluding":"6.14.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"7167","Ordinal":"123404","Title":"CVE-2018-7167","CVE":"CVE-2018-7167","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"7167","Ordinal":"1","NoteData":"Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS \"Boron\"), 8.x (LTS \"Carbon\"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"7167","Ordinal":"2","NoteData":"2018-06-13","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"7167","Ordinal":"3","NoteData":"2020-03-20","Type":"Other","Title":"Modified"}]}}}