CVE-2020-6458: 
Node.js vulnerability analysis and mitigation

CVE-2020-6458 is an out-of-bounds read and write vulnerability discovered in PDFium component of Google Chrome versions prior to 81.0.4044.122. The vulnerability was discovered by Aleksandar Nikolic of Cisco Talos on April 2, 2020, and allows a remote attacker to potentially exploit heap corruption through a specially crafted PDF file (Chrome Release, Talos Report).

The vulnerability exists in the way PDFium executes JavaScript regular expressions in PDF documents. The issue occurs specifically when V8 JavaScript engine runs in 'jitless' mode, which is the default configuration for PDFium. The bug manifests during the processing of large regular expressions containing special characters like '+' or '?', leading to an out-of-bounds read in the regexp interpreter. The vulnerability received a CVSS v3.1 Base Score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Talos Report).

The vulnerability could potentially be exploited to achieve arbitrary code execution in the browser context through heap corruption. The attack requires user interaction in the form of opening a maliciously crafted PDF file (Talos Report).

Google released a patch for this vulnerability in Chrome version 81.0.4044.122. Users and organizations are advised to update to this version or later to mitigate the vulnerability. The fix was also included in Debian security update DSA-4714 (Chrome Release, Debian Advisory).