Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.
Conclusion & alert: CVE-2017-15897 is rated Moderate Risk (42.4/100): CVSS Low severity, with medium exploitation likelihood (EPSS 2.30%). Core evidence: EPSS rose +1.66% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.64% | 2.30% | +1.66% |
| 2 | 2026-04-09 | 0.49% | 0.64% | +0.15% |
| 3 | 2026-03-08 | — | 0.49% | — |
Full EPSS history (13 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 3.1 | 3.1 | LOW |
|
1.6 | 1.4 | [email protected] |
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2017-15897: 2 source package rows (nodejs, nodejs-current); 17 state rows across 17 repos (3.10-main, 3.11-main, 3.12-main, 3.17-community, 3.17-main, 3.18-community, 3.18-main, 3.19-community, 3.19-main, 3.20-community, 3.20-main, 3.21-community, 3.21-main, 3.22-community, 3.22-main, edge-community, edge-main); fixed 17, open 0. | https://security.alpinelinux.org/vuln/CVE-2017-15897 |
debian
|
unimportant | CVE-2017-15897 unimportant priority: Debian including 1 source packages (nodejs), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2017-15897 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2017-15897 |
ubuntu
|
medium | CVE-2017-15897 medium priority: Ubuntu including 1 source packages (nodejs), 6 status rows across 6 suites (artful, bionic, trusty, upstream, xenial, zesty): not-affected 4, ignored 2. | https://ubuntu.com/security/CVE-2017-15897 |
| URL | Tags |
|---|---|
| https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ | Issue Tracking Vendor Advisory |