{"id":"CVE-2021-22931","details":"Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.","aliases":["BIT-node-2021-22931","BIT-node-min-2021-22931"],"modified":"2026-05-12T04:05:24.830940Z","published":"2021-08-16T19:15:13.127Z","related":["ALSA-2021:3623","ALSA-2021:3666","SUSE-SU-2021:2823-1","SUSE-SU-2021:2824-1","SUSE-SU-2021:2875-1","SUSE-SU-2021:2953-1","SUSE-SU-2021:3184-1","SUSE-SU-2021:3211-1","openSUSE-SU-2021:1214-1","openSUSE-SU-2021:1239-1","openSUSE-SU-2021:1313-1","openSUSE-SU-2021:2875-1","openSUSE-SU-2021:2953-1","openSUSE-SU-2021:3211-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"12.0.0"},{"last_affected":"12.12.0"},{"introduced":"14.0.0"},{"last_affected":"14.14.0"},{"introduced":"16.0.0"},{"fixed":"16.6.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*"},{"extracted_events":[{"introduced":"12.13.0"},{"fixed":"12.22.5"},{"introduced":"14.15.0"},{"fixed":"14.17.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*"},{"extracted_events":[{"last_affected":"8.0.26"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.57"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.58"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.59"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"1.0.1.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-02"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210923-0001/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211022-0003/"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"REPORT","url":"https://hackerone.com/reports/1178337"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"type":"FIX","url":"https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graalvm/graalvm-ce-builds","events":[{"introduced":"0"},{"last_affected":"55ff3f2503007a859219b5e7f68b0f6ca95225f0"},{"last_affected":"771d7a8d2b73cf72a2622ca6305dcc9e9306f296"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"20.3.3"},{"last_affected":"21.2.0"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*","cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*"]}}],"versions":["vm-19.3.0","vm-19.3.0.2","vm-19.3.1","vm-19.3.2","vm-19.3.2-pre","vm-19.3.3","vm-19.3.4","vm-19.3.5","vm-19.3.6","vm-20.0.0","vm-20.0.1","vm-20.1.0","vm-20.2.0","vm-20.3.0","vm-20.3.1","vm-20.3.1.2","vm-20.3.2","vm-20.3.3","vm-21.0.0","vm-21.0.0.2","vm-21.1.0","vm-ce-21.2.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22931.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}