CVE-2024-21522: 
JavaScript vulnerability analysis and mitigation

All versions of the package audify are vulnerable to Improper Validation of Array Index (CVE-2024-21522). The vulnerability was discovered and disclosed on February 20, 2024, and published on July 9, 2024. The vulnerability affects the OpusDecoder component in the audify package, which is used for playing, streaming, recording PCM audio data, and encoding/decoding Opus to PCM audio data (Snyk Advisory).

The vulnerability occurs when frameSize is provided to the new OpusDecoder().decode or new OpusDecoder().decodeFloat functions, where it is not checked for negative values. The vulnerable code is present in the opus_decoder.cpp file. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network-accessible, requires low attack complexity, and can result in high availability impact (Snyk Advisory).

When exploited, this vulnerability can lead to a process crash due to invalid array indexing. The impact primarily affects the availability of the system, with no direct impact on confidentiality or integrity. The vulnerability can result in a Denial of Service (DoS) condition when a negative frameSize value is provided (GitHub PoC).

Currently, there is no fixed version available for the audify package (Snyk Advisory). Users should monitor for updates and implement input validation for frameSize parameters as a temporary workaround.