Use After Free Affecting nodejs package, versions <1:20.19.1-1.module+el8.10.0+90560+49d7a1eb


Severity

Recommended
medium

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.14% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Use After Free vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ORACLE8-NODEJS-10060092
  • published7 May 2025
  • disclosed8 Apr 2025

Introduced: 8 Apr 2025

CVE-2025-31498  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade Oracle:8 nodejs to version 1:20.19.1-1.module+el8.10.0+90560+49d7a1eb or higher.
This issue was patched in ELSA-2025-4461.

NVD Description

Note: Versions mentioned in the description apply only to the upstream nodejs package and not the nodejs package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.

CVSS Base Scores

version 3.1