CVE-2018-3745
Buffer Overflow vulnerability in atob (npm)
What is CVE-2018-3745 About?
Versions of the `atob` package prior to 2.1.0 are vulnerable to uninitialized buffer allocation, specifically on Node.js 4.x and below. When a number is passed as input, it can result in undefined behavior and potential memory corruption. This makes it relatively easy for an attacker to trigger the flaw.
Affected Software
Technical Details
The atob package, in versions earlier than 2.1.0, exhibits a vulnerability on Node.js 4.x and below where passing a number as input can lead to the creation of uninitialized Buffers. In these specific Node.js environments, providing a number directly to the Buffer constructor (e.g., Buffer(number)) would allocate a buffer of that size filled with potentially uninitialized memory. An attacker could exploit this by providing a numeric value that is then used to create such an uninitialized buffer, leading to exposure of sensitive data that might reside in the memory segment, or potentially causing application crashes due to undefined behavior when working with the uninitialized data.
What is the Impact of CVE-2018-3745?
Successful exploitation may allow attackers to gain access to sensitive information from uninitialized memory, cause application instability, or lead to arbitrary code execution in some buffer overflow scenarios.
What is the Exploitability of CVE-2018-3745?
Exploitation involves providing a numeric input to the atob function in an environment running Node.js 4.x or below and using a vulnerable version of the package. The complexity is low, as it generally involves a direct input to the vulnerable function. No authentication or special privileges are typically required if the application exposes atob functionality to user input. This can be a remote or local attack, depending on how the input reaches the vulnerable code. The primary prerequisite is the outdated Node.js environment combined with the vulnerable atob package. The risk increases if the application processes untrusted numeric inputs using atob.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-3745?
Available Upgrade Options
- atob
- <2.1.0 → Upgrade to 2.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/reports/321686
- https://security.netapp.com/advisory/ntap-20230622-0009
- https://security.netapp.com/advisory/ntap-20230622-0009/
- https://nvd.nist.gov/vuln/detail/CVE-2018-3745
- https://hackerone.com/reports/321686
- https://www.npmjs.com/advisories/646
- https://osv.dev/vulnerability/GHSA-8w4h-3cm3-2pm2
- https://github.com/advisories/GHSA-8w4h-3cm3-2pm2
What are Similar Vulnerabilities to CVE-2018-3745?
Similar Vulnerabilities: CVE-2017-15225 , CVE-2018-3746 , CVE-2016-10762 , CVE-2019-10757 , CVE-2019-18805
