{"id":"CVE-2020-8252","details":"The implementation of realpath in libuv \u003c 10.22.1, \u003c 12.18.4, and \u003c 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.","aliases":["BIT-node-2020-8252","BIT-node-min-2020-8252"],"modified":"2026-07-07T08:51:39.789248619Z","published":"2020-09-18T21:15:13.497Z","related":["ALSA-2020:4272","ALSA-2021:0548","SUSE-SU-2020:2812-1","SUSE-SU-2020:2813-1","SUSE-SU-2020:2823-1","SUSE-SU-2020:2829-1","openSUSE-SU-2020:1616-1","openSUSE-SU-2020:1660-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","vendor_product":"fedoraproject:fedora","cpes":["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"33"},{"last_affected":"33"}]},{"cpes":["cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"15.2"},{"last_affected":"15.2"}],"source":"CPE_STRING","vendor_product":"opensuse:leap"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"},{"type":"ADVISORY","url":"https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202009-15"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20201009-0004/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4548-1/"},{"type":"REPORT","url":"https://hackerone.com/reports/965914"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"cf41627411886000429bde058a6594fb7f6d6d47"},{"fixed":"b401aa24d7ab8b1fb804844df70472c3679696b9"},{"introduced":"2f45ad8060e13d5ac912335096d21526f2f9602b"},{"fixed":"1d60ea4c3ab35e0ec36305ad6e39eda8f07250cb"},{"introduced":"73aa21658dfa6a22c06451d080152b32b1f98dbe"},{"fixed":"3153c2d3833a8a46d92fde33d2773e63ef21357b"}],"database_specific":{"cpe":["cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*"],"extracted_events":[{"introduced":"10.0.0"},{"fixed":"10.22.1"},{"introduced":"12.0.0"},{"fixed":"12.18.4"},{"introduced":"14.0.0"},{"fixed":"14.9.0"}],"source":"CPE_RANGE"}}],"versions":["v14.8.0","v14.7.0","v12.18.3","v14.6.0","v10.22.0","v14.5.0","v12.18.2","v12.18.1","v12.18.0","v14.4.0","v10.21.0","v12.17.0","v14.3.0","v14.2.0","v14.1.0","v12.16.3","v14.0.0","v10.20.1","v12.16.2","v10.20.0","v12.16.1","v12.16.0","v10.19.0","v12.15.0","v10.18.1","v12.14.1","v12.14.0","v10.18.0","v12.13.1","v10.17.0","v12.13.0","v12.12.0","v12.11.1","v12.11.0","v12.10.0","v12.9.1","v12.9.0","v10.16.3","v12.8.1","v12.8.0","v10.16.2","v10.16.1","v12.7.0","v12.6.0","v12.5.0","v12.4.0","v10.16.0","v12.3.1","v12.3.0","v12.2.0","v12.1.0","v12.0.0","v10.15.3","v10.15.2","v10.15.1","v10.15.0","v10.14.2","v10.14.1","v10.14.0","v10.13.0","v10.12.0","v10.11.0","v10.10.0","v10.9.0","v10.8.0","v10.7.0","v10.6.0","v10.5.0","v10.4.1","v10.4.0","v10.3.0","v10.2.1","v10.2.0","v10.1.0","v10.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8252.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}