Login Sign Up

CVE-2021-39131

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2021-39131 is a denial-of-service vulnerability in the ced Node.js library that causes process crashes when non-Buffer data types are passed to its character encoding detection function. This affects applications using ced v0.1.0 for character encoding detection. The vulnerability can be exploited to crash Node.js processes, disrupting service availability.

💻 Affected Systems

Products:
  • ced (Node.js character encoding detection library)
Versions: ced v0.1.0 only
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that pass non-Buffer data types to ced's encoding detection functions

📦 What is this software?

Ced by Ced Project

View all CVEs affecting Ced →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing application downtime and service disruption

🟠

Likely Case

Application crashes leading to service interruptions and potential data loss in active sessions

🟢

If Mitigated

No impact if proper input validation or patched version is used

🌐 Internet-Facing: MEDIUM - Exploitable if application accepts user input for encoding detection, but requires specific conditions
🏢 Internal Only: LOW - Typically requires integration with user-facing input processing to be exploitable

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - simply passing non-Buffer data to affected functions causes crash

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ced v1.0.0

Vendor Advisory: https://github.com/sonicdoe/ced/security/advisories/GHSA-27wq-qx3q-fxm9

Restart Required: Yes

Instructions:

1. Update package.json to require ced version 1.0.0 or higher. 2. Run 'npm update ced' or 'yarn upgrade ced'. 3. Restart all Node.js processes using the ced library.

🔧 Temporary Workarounds

Input validation workaround

all

Validate all inputs to ced functions to ensure they are Buffer objects before processing

// Before calling ced functions, add: if (!Buffer.isBuffer(input)) { throw new Error('Input must be Buffer'); }

🧯 If You Can't Patch

  • Implement strict input validation using Buffer.isBuffer() before passing data to ced functions
  • Isolate ced usage to specific modules with input sanitization and implement circuit breakers

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for ced version 0.1.0

Check Version:

npm list ced | grep ced or check package.json for ced version

Verify Fix Applied:

Verify ced version is 1.0.0 or higher in package.json and node_modules

📡 Detection & Monitoring

Log Indicators:

  • Node.js process crashes with segmentation faults
  • Application restarts without clear errors
  • Error logs showing process termination

Network Indicators:

  • Sudden service unavailability
  • Connection resets from affected services

SIEM Query:

process.name:node AND (event.type:crash OR exit_code:139 OR exit_code:134)

📊 Metadata

CVE ID: CVE-2021-39131
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-241
Published: August 17, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39131, you might also want to check these:

CVE-2021-40116 8.6

This vulnerability in Cisco products with Snort3 configured allows unauthenticated remote attackers ...

Same vulnerability type (CWE-241)
CVE-2025-2268 7.5

This vulnerability allows attackers to cause denial of service on HP LaserJet MFP M232-M237 printers...

Same vulnerability type (CWE-241)
CVE-2022-1642 7.5

A type mismatch vulnerability in Swift's JSONDecoder can cause deterministic crashes when processing...

Same vulnerability type (CWE-241)