ALPINE-CVE-2018-7167
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 13 Jun 2018, 16:29
Last modified:03 Dec 2025, 22:43
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
3.1 (osv_alpine)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
13 Jun 2018, 16:29
Published
Vulnerability first disclosed
03 Dec 2025, 22:43
Last Modified
Vulnerability information updated
Description
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Systems
- alpine•nodejs
< 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0 | < 8.11.3-r0