CVE-2024-25629: 
npm vulnerability analysis and mitigation

CVE-2024-25629 affects c-ares, a C library for asynchronous DNS requests. The vulnerability was discovered in the ares__read_line() function which is used to parse local configuration files including /etc/resolv.conf, /etc/nsswitch.conf, the HOSTALIASES file, and in versions prior to 1.27.0, the /etc/hosts file. The issue was fixed in c-ares version 1.27.0 (GitHub Advisory).

The vulnerability is an out-of-bounds read condition that occurs when any of the configuration files contains an embedded NULL character as the first character in a new line. This can lead to an attempt to read memory prior to the start of the given buffer. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. The issue has been classified as CWE-127 (Buffer Under-read) (GitHub Advisory, NVD).

If successfully exploited, this vulnerability may result in a program crash, affecting the availability of the system. The impact is limited to availability with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in c-ares version 1.27.0. Users are advised to upgrade to this version or later. No workarounds exist for this vulnerability. Various Linux distributions have released security updates to address this issue, including Fedora 38, 39, and 40 (Fedora Update).