CVE-2022-25345 – @discordjs/opus

Package

Manager: npm
Name: @discordjs/opus
Vulnerable Version: >=0 <0.8.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0033 pctl0.55366

Details

Uncontrolled Resource Consumption in @discordjs/opus Improperly handled errors in @discordjs/opus cause hard crashes instead of returning the error to user land. All versions of package @discordjs/opus (<= 0.7.0) are vulnerable to Denial of Service (DoS) when trying to encode using an encoder with zero channels, or a non-initialized buffer. This leads to a hard crash due to improperly returning the errors from the invalid inputs. As of version 0.8.0, the errors are correctly returned to the user and are no longer throwing hard crashes that cannot be recovered.

Metadata

Created: 2022-06-18T00:00:20Z
Modified: 2023-09-07T18:48:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rvgf-69j7-xh78/GHSA-rvgf-69j7-xh78.json
CWE IDs: ["CWE-908"]
Alternative ID: GHSA-rvgf-69j7-xh78
Finding: F138
Auto approve: 1