dns2 is vulnerable to Denial of Service (DoS)
46
Medium Risk
Packet.Name.decode in packet.js follows DNS name compression pointers when decoding names but does not track which pointer offsets it has already visited. A crafted DNS message whose name pointers reference each other in a cycle makes the decoder jump between the same offsets endlessly. Because parsing runs on the single-threaded Node.js event loop, one malformed packet causes an infinite loop that hangs the server or client process handling it. The fix records visited pointer targets in a Set and throws Name decode: pointer cycle detected when a pointer target repeats.
You are affected if you are using a version that falls within the vulnerable range and your application parses DNS messages from untrusted sources.
dns2 is vulnerable to Denial of Service (DoS) in versions 1.1.0 - 2.2.1.
Upgrade the dns2 library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant