Skip to content


Ensure buffer does not use noAssert

Note: This vulnerability only exists for versions of Node 9.xx.x and below.

Node.js’s buffer API has the following methods to interact with an buffer object, once once has been instantiated:

'readUInt8', 'readUInt16LE', 'readUInt16BE', 'readUInt32LE', 'readUInt32BE', 'readInt8',
'readInt16LE', 'readInt16BE', 'readInt32LE', 'readInt32BE', 'readFloatLE', 'readFloatBE', 'readDoubleL', 'readDoubleBE', 'writeUInt8', 'writeUInt16LE', 'writeUInt16BE', 'writeUInt32LE', 'writeUInt32BE', 'writeInt8', 'writeInt16LE', 'writeInt16BE', 'writeInt32LE', 'writeInt32BE', 'writeFloatLE', 'writeFloatBE', 'writeDoubleLE', 'writeDoubleBE'

Prior to Node v0.10, this methods accepted an additional noAssert parameter, which when supplied as true, would allow would allow reading (or writing) outside of the bounds of the buffer.

This can allow, among other things, an attacker to modify the execution of the program or access sensitive information of the program by reading data outside of the allocated buffer, or writing data to a memory segment that has side effects on other parts of the program.


Insecure Example

Calling any of the outlined methods with the noAssert parameter supplied, and set to true.

var buf = new Buffer(8);
buf.writeDoubleBE(0xdeadbeefcafebabe, 0, true);

Secure Example

Being alerted of this error is an indicator that you are on a very old version of Node. In newer versions, the Buffer libraries in particular have been updated to make up for usability and security concerns. It is recommended that you upgrade your Node version, and utilize the newest Buffer interfaces.

Changing out the entire is not often practical, so therefore simply omitting the noAssert parameter would offer safety for this particular vulernability.