Intel

AIKIDO-2026-355916

h3-js is vulnerable to Memory Corruption

Memory Corruption Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 6 days ago

55

Medium Risk

This Affects:

JSh3-js
4.0.0 - 4.4.0
Fixed in 4.5.0
Are you affected? Scan for Free

TL;DR

The gridDisk and gridDiskDistances functions in h3-js derive an output buffer size from the caller-supplied ringSize and pass it directly to the WebAssembly allocator via _calloc without validating the resulting byte length. When ringSize is large, the unchecked allocation corrupts the shared WebAssembly heap, so later valid calls into the module return wrong results or fail. The fix adds a callocArray helper that caps allocations at a maximum byte length and throws E_MEMORY_ALLOC before the unsafe allocation occurs. Regression tests confirm oversized requests no longer break subsequent calls.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and pass an untrusted or unbounded ringSize to gridDisk or gridDiskDistances.

Background info

h3-js is vulnerable to Memory Corruption in versions 4.0.0 - 4.4.0.

How to fix this

Upgrade the h3-js library to the patch version.