CVE-2021-22918: 
npm vulnerability analysis and mitigation

Node.js before versions 16.4.1, 14.17.2, and 12.22.2 was discovered to contain an out-of-bounds read vulnerability in the uv_idnatoascii() function, which is used to convert strings to ASCII. The vulnerability was disclosed on July 1, 2021, and affects all versions of the 16.x, 14.x, and 12.x release lines. The issue occurs when the pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer (Node Blog, NVD).

The vulnerability exists in libuv's uv_idnatoascii() function which is used by Node's dns module's lookup() function. The core issue involves an out-of-bounds read operation where a pointer is manipulated without proper boundary checks against the buffer's end pointer. This can be triggered through the uv_getaddrinfo() function. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The exploitation of this vulnerability can lead to information disclosures or application crashes. The out-of-bounds read condition allows attackers to potentially access sensitive information outside the intended buffer boundaries (Node Blog, Gentoo).

The vulnerability has been fixed in Node.js versions 16.4.1, 14.17.2, and 12.22.2. Users are advised to upgrade to these or later versions. For systems using libuv directly, upgrading to version 1.41.1 or later is recommended. No workarounds are available for this vulnerability, making upgrading the only effective mitigation strategy (Node Blog, Gentoo).