CVE-2023-26110: 
JavaScript vulnerability analysis and mitigation

The node-bluetooth package contains a Buffer Overflow vulnerability (CVE-2023-26110) that was discovered on February 6, 2023, and publicly disclosed on March 8, 2023. This vulnerability affects all versions of the node-bluetooth package and is caused by improper user input length validation in the findSerialPortChannel method (Snyk Advisory).

The vulnerability is classified as a Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability (CWE-120). It has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Snyk assessed it with a score of 7.3 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is remotely exploitable with low attack complexity and requires no privileges or user interaction (NVD).

The buffer overflow vulnerability can lead to potential code execution, with impacts on confidentiality, integrity, and availability of the affected system. According to the CVSS scoring, the vulnerability can result in high-severity consequences including unauthorized information disclosure, data modification, and service interruptions (Snyk Advisory).

Currently, there is no fixed version available for the node-bluetooth package. Users of the package should consider implementing input validation controls or exploring alternative Bluetooth communication solutions (Snyk Advisory).