Vulnerability DatabaseCVE-2020-8277

CVE-2020-8277:
npm vulnerability analysis and mitigation

Overview

CVE-2020-8277 is a Denial of Service vulnerability discovered in Node.js that affects versions < 15.2.1, < 14.15.1, and < 12.19.1. The vulnerability allows an attacker to trigger a DNS request for a host of their choice, potentially causing a Denial of Service by getting the application to resolve a DNS record with a larger number of responses. The vulnerability was disclosed in November 2020 and has been fixed in versions 15.2.1, 14.15.1, and 12.19.1 (Node.js Blog).

Technical details

The vulnerability exists in Node.js applications that allow triggering DNS requests. An attacker can cause a Denial of Service condition by manipulating the application to resolve a DNS record containing a large number of responses. The vulnerability affects multiple versions of Node.js including versions 12.16.3 and higher on the 12.x release line, versions 14.13.0 and higher on the 14.x release line, and all versions of the 15.x release line (Node.js Blog).

Impact

The successful exploitation of this vulnerability can result in a Denial of Service condition, potentially making the affected Node.js application unavailable to legitimate users (NVD).

Mitigation and workarounds

The vulnerability has been fixed in Node.js versions 15.2.1, 14.15.1, and 12.19.1. Users are strongly recommended to upgrade to these patched versions to mitigate the vulnerability (Node.js Blog).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.5

Score

Published November 19, 2020

Severity HIGH

CNA Score N/A

Affected Technologies

npm
NixOS

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 97.6

Exploitation Probability (EPSS) 46.5

Affected packages and libraries

cpe:2.3:a:oracle:graalvm:*:*:*:*:enterprise:*:*:*
c-ares-utils

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Jul 20, 2022
Alpine Security Tracker
- Alpine 3.11, 3.12, 3.13, 3.14 Severity HIGHHas FixAdded at: Nov 23, 2021
- Alpine 3.15 Severity HIGHHas FixAdded at: Nov 25, 2021
- Alpine 3.16 Severity HIGHHas FixAdded at: May 24, 2022
- Alpine 3.17 Severity HIGHHas FixAdded at: Nov 23, 2022
- Alpine 3.18 Severity HIGHHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity HIGHHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
- Alpine edge Severity HIGHHas FixAdded at: Jun 19, 2023
CBL-Mariner
- CBL-Mariner 1.0 Severity HIGHHas FixAdded at: Jun 10, 2023
- CBL-Mariner 2.0 Severity HIGHHas FixAdded at: Apr 04, 2024
Chainguard
- Chainguard Has FixAdded at: Sep 03, 2025
Debian Security Tracker
- Debian 11, 12 Severity HIGHHas FixAdded at: Nov 23, 2021
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Gentoo Advisory Database
- Gentoo Severity MEDIUMHas FixAdded at: Jul 24, 2022
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Nov 01, 2023
Photon Security Advisory
- Photon 1.0, 2.0, 3.0, 4.0 Severity HIGHHas FixAdded at: Nov 23, 2021
Red Hat Errata
- Red Hat 8 Severity MEDIUMHas FixAdded at: Nov 23, 2021
Ubuntu Security Tracker
- Ubuntu 20.10 Severity MEDIUMHas FixAdded at: Nov 23, 2021
Wolfi
- Wolfi Has FixAdded at: Sep 01, 2025
NVD
- Linux Severity HIGHHas FixAdded at: Nov 23, 2021
- Windows Severity HIGHHas FixAdded at: Nov 23, 2021