VIR Vulnerability Intelligence Relay

CVE-2017-15897

low
Published 2017-12-11 · Modified 2026-05-13
CVSS v3
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS v2
4.3
VIR risk
3.1

Description

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

Predictions

Exploit likelihood
42%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-15897

vendor Authored 2026-05-27

Vendor advisory: cve-request@iojs.org — https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed0
debian debianbullseyefixed0
debian debianforkyfixed0
debian debiansidfixed0
debian debiantrixiefixed0

Application impact
VendorProductVersionsFixed
nodejsnode.js{"startIncluding":"8.0.0","endIncluding":"8.8.1"}

References

CWEs

CWE-665

Verify integrity in audit chain (admin only). AS-IS.