Home > Vulnerability Database > WS-2022-0133

Mend.io Vulnerability Database

WS-2022-0133

Good to know:

Date: August 19, 2025

Use after free in Neon external buffers between 0.8.0 and before 0.10.1. Neon provides functionality for creating JavaScript ArrayBuffer (and the Buffer subtype) instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from types that may be freed while they are still referenced by a JavaScript ArrayBuffer

Language: RUST

Severity Score

8.8

Related Resources (5)

Url: https://github.com/neon-bindings/neon/commit/4e350ea1d74cc90158e7bc3b8ce273bf9b6a5c0f

Url: https://crates.io/crates/neon

Url: https://github.com/neon-bindings/neon/issues/896

Url: https://rustsec.org/advisories/RUSTSEC-2022-0028.html

Url: https://www.mend.io/vulnerability-database/WS-2022-0133

Severity Score

8.8

Weakness Type (CWE)

Use After Free

CWE-416

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2022-0133

Good to know:

Date: August 19, 2025

Language: RUST

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?