Use After Free Affecting neon package, versions <0.10.1


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Use After Free vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-NEON-2847870
  • published25 May 2022
  • disclosed22 May 2022
  • creditCassy343

Introduced: 22 May 2022

CVE NOT AVAILABLE CWE-416  (opens in a new tab)

How to fix?

Upgrade neon to version 0.10.1 or higher.

Overview

neon is a Rust bindings for writing safe and fast native Node.js modules.

Affected versions of this package are vulnerable to Use After Free as the JsArrayBuffer::external and ``JsBuffer::externalmethods did not requireT: 'static. This allowed the creation of an externally backed buffer from types that may be freed while they are still referenced by a JavaScript ArrayBuffer`.

CVSS Scores

version 3.1