ALPINE-CVE-2021-22931
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 16 Aug 2021, 19:15
Last modified:03 Dec 2025, 22:48
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
3.1 (osv_alpine)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
16 Aug 2021, 19:15
Published
Vulnerability first disclosed
03 Dec 2025, 22:48
Last Modified
Vulnerability information updated
Description
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Systems
- alpine•nodejs
< 12.22.5-r0 | < 12.22.5-r0 | < 14.17.5-r0 | < 14.17.5-r0 | < 14.17.5-r0 | < 14.17.5-r0 | < 14.17.5-r0 | < 14.17.5-r0 | < 14.17.5-r0 | < 14.17.5-r0 | < 14.17.5-r0 | < 14.17.5-r0 | < 14.17.5-r0