CVE-2014-5256
V8: Memory Corruption and Stack Overflow
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
Node.js 0.8 anterior a 0.8.28 y 0.10 anterior a 0.10.30 no considera la posibilidad del procesamiento recursivo que provoca la recolección de basura V8 en conjunto con una interrupción V8, lo que permite a atacantes remotos causar una denegación de servicio (corrupción de la memoria y caída de la aplicación) a través de objetos JSON profundos cuyo análisis sintáctico deje que esta interrupción enmascare un desbordamiento de la pila del programa.
It was discovered that V8 did not properly check the stack size limit in certain cases. A remote attacker able to send a request that caused a script executed by V8 to use deep recursion could trigger a stack overflow, leading to a crash of an application using V8.
A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing. Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Node.js before 0.10.31, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. The nodejs package has been updated to version 0.10.33 to fix these issues as well as several other bugs.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2014-08-15 CVE Reserved
- 2014-09-05 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-121: Stack-based Buffer Overflow
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://advisories.mageia.org/MGASA-2014-0516.html | X_refsource_confirm | |
| http://secunia.com/advisories/61260 | Third Party Advisory | |
| http://www-01.ibm.com/support/docview.wss?uid=swg21684769 | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356 | 2024-08-06 |
| URL | Date | SRC |
|---|---|---|
| http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow | 2015-05-12 |
| URL | Date | SRC |
|---|---|---|
| http://www.mandriva.com/security/advisories?name=MDVSA-2015:142 | 2015-05-12 | |
| https://access.redhat.com/security/cve/CVE-2014-5256 | 2014-10-30 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1125464 | 2014-10-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.0 Search vendor "Nodejs" for product "Nodejs" and version "0.8.0" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.1 Search vendor "Nodejs" for product "Nodejs" and version "0.8.1" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.2 Search vendor "Nodejs" for product "Nodejs" and version "0.8.2" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.3 Search vendor "Nodejs" for product "Nodejs" and version "0.8.3" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.4 Search vendor "Nodejs" for product "Nodejs" and version "0.8.4" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.5 Search vendor "Nodejs" for product "Nodejs" and version "0.8.5" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.6 Search vendor "Nodejs" for product "Nodejs" and version "0.8.6" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.7 Search vendor "Nodejs" for product "Nodejs" and version "0.8.7" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.8 Search vendor "Nodejs" for product "Nodejs" and version "0.8.8" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.9 Search vendor "Nodejs" for product "Nodejs" and version "0.8.9" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.10 Search vendor "Nodejs" for product "Nodejs" and version "0.8.10" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.11 Search vendor "Nodejs" for product "Nodejs" and version "0.8.11" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.12 Search vendor "Nodejs" for product "Nodejs" and version "0.8.12" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.13 Search vendor "Nodejs" for product "Nodejs" and version "0.8.13" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.14 Search vendor "Nodejs" for product "Nodejs" and version "0.8.14" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.15 Search vendor "Nodejs" for product "Nodejs" and version "0.8.15" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.16 Search vendor "Nodejs" for product "Nodejs" and version "0.8.16" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.17 Search vendor "Nodejs" for product "Nodejs" and version "0.8.17" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.18 Search vendor "Nodejs" for product "Nodejs" and version "0.8.18" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.19 Search vendor "Nodejs" for product "Nodejs" and version "0.8.19" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.20 Search vendor "Nodejs" for product "Nodejs" and version "0.8.20" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.21 Search vendor "Nodejs" for product "Nodejs" and version "0.8.21" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.22 Search vendor "Nodejs" for product "Nodejs" and version "0.8.22" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.23 Search vendor "Nodejs" for product "Nodejs" and version "0.8.23" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.24 Search vendor "Nodejs" for product "Nodejs" and version "0.8.24" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.25 Search vendor "Nodejs" for product "Nodejs" and version "0.8.25" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.26 Search vendor "Nodejs" for product "Nodejs" and version "0.8.26" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.8.27 Search vendor "Nodejs" for product "Nodejs" and version "0.8.27" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.0 Search vendor "Nodejs" for product "Nodejs" and version "0.10.0" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.1 Search vendor "Nodejs" for product "Nodejs" and version "0.10.1" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.2 Search vendor "Nodejs" for product "Nodejs" and version "0.10.2" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.3 Search vendor "Nodejs" for product "Nodejs" and version "0.10.3" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.4 Search vendor "Nodejs" for product "Nodejs" and version "0.10.4" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.5 Search vendor "Nodejs" for product "Nodejs" and version "0.10.5" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.6 Search vendor "Nodejs" for product "Nodejs" and version "0.10.6" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.7 Search vendor "Nodejs" for product "Nodejs" and version "0.10.7" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.8 Search vendor "Nodejs" for product "Nodejs" and version "0.10.8" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.9 Search vendor "Nodejs" for product "Nodejs" and version "0.10.9" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.10 Search vendor "Nodejs" for product "Nodejs" and version "0.10.10" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.11 Search vendor "Nodejs" for product "Nodejs" and version "0.10.11" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.12 Search vendor "Nodejs" for product "Nodejs" and version "0.10.12" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.13 Search vendor "Nodejs" for product "Nodejs" and version "0.10.13" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.14 Search vendor "Nodejs" for product "Nodejs" and version "0.10.14" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.15 Search vendor "Nodejs" for product "Nodejs" and version "0.10.15" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.16 Search vendor "Nodejs" for product "Nodejs" and version "0.10.16" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.17 Search vendor "Nodejs" for product "Nodejs" and version "0.10.17" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.18 Search vendor "Nodejs" for product "Nodejs" and version "0.10.18" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.19 Search vendor "Nodejs" for product "Nodejs" and version "0.10.19" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.20 Search vendor "Nodejs" for product "Nodejs" and version "0.10.20" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.21 Search vendor "Nodejs" for product "Nodejs" and version "0.10.21" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.22 Search vendor "Nodejs" for product "Nodejs" and version "0.10.22" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.23 Search vendor "Nodejs" for product "Nodejs" and version "0.10.23" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.24 Search vendor "Nodejs" for product "Nodejs" and version "0.10.24" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.25 Search vendor "Nodejs" for product "Nodejs" and version "0.10.25" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.26 Search vendor "Nodejs" for product "Nodejs" and version "0.10.26" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.27 Search vendor "Nodejs" for product "Nodejs" and version "0.10.27" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.28 Search vendor "Nodejs" for product "Nodejs" and version "0.10.28" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Nodejs Search vendor "Nodejs" for product "Nodejs" | 0.10.29 Search vendor "Nodejs" for product "Nodejs" and version "0.10.29" | - |
Affected
| ||||||