CVE-2021-46463

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-46463

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46463.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-46463

Downstream

ALPINE-CVE-2021-46463

Published

2022-02-14T22:15:07.793Z

Modified

2025-11-14T12:41:23.421414Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

njs through 0.7.1, used in NGINX, was discovered to contain a control flow hijack caused by a Type Confusion vulnerability in njspromiseperform_then().

References

Affected packages

Git / github.com/nginx/njs

Affected ranges

Type: GIT
Repo: https://github.com/nginx/njs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6a40a85ff239497c6458c7dbef18f6a2736fe992

Affected versions

0.*

0.1.0

0.1.1

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.5.0

0.5.1

0.5.2

0.5.3

0.6.0

0.6.1

0.6.2

0.7.0

0.7.1

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 1938.0,
            "function_hash": "21246998728196361327344536470616306135"
        },
        "id": "CVE-2021-46463-05680313",
        "target": {
            "function": "njs_vmcode_await",
            "file": "src/njs_vmcode.c"
        },
        "source": "https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 909.0,
            "function_hash": "208272686093314657909013776463892444071"
        },
        "id": "CVE-2021-46463-9da832f8",
        "target": {
            "function": "njs_promise_prototype_then",
            "file": "src/njs_promise.c"
        },
        "source": "https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 1639.0,
            "function_hash": "196078636397453533623470776534111444351"
        },
        "id": "CVE-2021-46463-ce75c71c",
        "target": {
            "function": "njs_promise_perform_then",
            "file": "src/njs_promise.c"
        },
        "source": "https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "155417522826301046500881426670855124524",
                "249312154007663672555820420838083510384",
                "20563829899076045043907323613226887818",
                "85105438021514541971620596122469271628",
                "173597929925441239629050411842993982808",
                "53753669303706171275580786200512089287",
                "44500577361851199594739921909434060131",
                "221653356911939617307435172227572506204",
                "270074205679557101107801397094651092412",
                "136288601495108740147380069283129817702",
                "140663067054207964369840543430557429667",
                "130305360822471665411792678033678053826",
                "173464364641218630713931704549874550609",
                "306047671956993844460676439670464768336",
                "234314352965296168903347549700017802377",
                "153582797412078577901508896827077458483",
                "321415484544608706314320264593048404789",
                "20662433042072775169483857996290501945",
                "114405618647977471230844548586680676936",
                "77160860655255747039881998989842551872",
                "56338637471529501472647267032093479767",
                "329528173595849169562766280473669413670",
                "152293518093237074708619529757211614400",
                "167288088722705039456936956672444012006",
                "233305748940883635932267350315134539644",
                "87484414237065616297386360029613262452",
                "116550684094124015042519051007996642572",
                "199256592011457622619588245969930517980",
                "330371041333058799819609820103029008765",
                "254606608900620546340903016460092532673",
                "73641929353334428288719439133950995131",
                "89605162350293260522290076680462187201",
                "262945437954933783801855450529540842194",
                "67447878501784741117079035904721887179"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2021-46463-e02c3fea",
        "target": {
            "file": "src/njs_promise.c"
        },
        "source": "https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 755.0,
            "function_hash": "200971510012489027532995298137152098054"
        },
        "id": "CVE-2021-46463-ee6859ce",
        "target": {
            "function": "njs_promise_resolve",
            "file": "src/njs_promise.c"
        },
        "source": "https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "206082296653492671639062049205906256740",
                "21386766158086280400735179989360493302",
                "21096447563613545260961317477975536374",
                "14460679192694295907326851527701296974"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2021-46463-f91d6590",
        "target": {
            "file": "src/njs_vmcode.c"
        },
        "source": "https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992"
    }
]