Buffer Overflow Affecting node-bluetooth-serial-port package, versions *


0.0
high
0
10

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.19% (57th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-NODEBLUETOOTHSERIALPORT-3311820
  • published 8 Mar 2023
  • disclosed 6 Feb 2023
  • credit Raoul Scholtes, Giancarlo Pellegrino, Cris Staicu

How to fix?

There is no fixed version for node-bluetooth-serial-port.

Overview

Affected versions of this package are vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length validation.

PoC

const BluetoothSerialPort = require("node-bluetooth-serial-port")
const serial = new BluetoothSerialPort.BluetoothSerialPort()

serial.findSerialPortChannel("INSERT A VERY LONG STRING HERE INSTEAD OF THIS LINE", () => console.log("success"), () => console.log("error"))