OpenCC has an Out-of-bounds read when processing truncated UTF-8 input

Description

OpenCC versions before 1.2.0 contain two CWE-125: Out-of-bounds Read issues caused by length validation failures in UTF-8 processing. When handling malformed or truncated UTF-8 input, OpenCC trusted derived length values without enforcing the invariant that processed length must not exceed the remaining input buffer.

Recommendation

Update the opencc package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.2.0
• Patched version(s): 1.2.0

References

• GHSA-7fqq-q52p-2jjg
• CWE-125

Related Issues

• Open Chinese Convert has Out-of-bounds Write - CVE-2025-15536
• Open Chinese Convert subject to Denial of Service via Out-of-bounds Read - CVE-2018-16982
• Out-of-bounds Read in njwt - Vulnerability
• PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled - Vulnerability

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

opencc