no-buffer-overread
Detects buffer access beyond bounds
Keywords: buffer overread, CWE-126, out-of-bounds, memory safety, security, Node.js
CWE: CWE-693
OWASP Mobile: OWASP Mobile Top 10
Detects buffer access beyond bounds. This rule is part of eslint-plugin-node-security.
💼 This rule is set to error in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-126 (Buffer Over-read) |
| Severity | High (CVSS 7.5) |
| Auto-Fix | 💡 Suggestions available |
| Category | Security |
Vulnerability and Risk
Vulnerability: Buffer over-read occurs when a program reads from a buffer (memory) past the buffer's boundary or before its beginning.
Risk: This can lead to the exposure of sensitive information residing in adjacent memory locations (Information Leakage), cause the application to crash (Denial of Service), or result in unexpected application behavior.
Rule Details
Buffer overread occurs when reading from buffers beyond their allocated length. This can lead to:
- Information disclosure (reading adjacent memory)
- Application crashes
- Security vulnerabilities like Heartbleed
- Undefined behavior
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 📤 Info Leak | Sensitive data exposure | Validate buffer indices |
| 💥 Crash | Denial of service | Check bounds before access |
| 🔓 Security Bypass | Memory corruption | Use safe buffer methods |
Examples
❌ Incorrect
// Reading beyond buffer length
const buf = Buffer.from('hello');
const byte = buf[10]; // Out of bounds!
// User-controlled index without validation
const index = parseInt(req.query.index);
const value = buffer[index]; // Potentially negative or too large!
// Slice without bounds checking
const data = buffer.slice(offset, offset + length);
// No validation that offset + length <= buffer.length
// readUInt32LE without bounds check
const value = buf.readUInt32LE(userOffset);
// Could read past end of buffer✅ Correct
if (index >= 0 && index < buffer.length) { const byte = buffer[index]; }Configuration
{
rules: {
'node-security/no-buffer-overread': ['error', {
bufferMethods: ['readUInt8', 'readUInt16LE', 'readUInt32LE', 'slice'],
boundsCheckFunctions: ['validateIndex', 'checkBounds'],
bufferTypes: ['Buffer', 'Uint8Array', 'ArrayBuffer']
}]
}
}Options
| Option | Type | Default | Description |
|---|---|---|---|
bufferMethods | string[] | ['readUInt8', 'slice'] | Buffer methods to check |
boundsCheckFunctions | string[] | ['validateIndex'] | Bounds checking functions |
bufferTypes | string[] | ['Buffer', 'Uint8Array'] | Buffer types to monitor |
Error Message Format
🔒 CWE-126 OWASP:A06-Vulnerable CVSS:7.5 | Buffer Overread | HIGH [SOC2,PCI-DSS]
Fix: Add bounds check before buffer access | https://nodejs.org/api/buffer.htmlKnown False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
- CWE-126 - Buffer over-read
- OWASP Buffer Overflow - General buffer overflow info
- Node.js Buffer - Buffer documentation
- Heartbleed - Famous buffer overread vulnerability
Related Rules
no-unlimited-resource-allocation- Unbounded allocationsdetect-non-literal-fs-filename- Path traversal