Skip to content

nbind ThreadCrash #145

Description

@harsh-h4x

nbind's cbFunction class in include/nbind/v8/Callback.h invokes
Nan::Call(func, Nan::GetCurrentContext()->Global(), ...) without
acquiring a V8 Isolate lock. When a C++ class stores a JavaScript
callback and later invokes it from a non-owner thread (e.g.,
std::thread, thread pool), V8's internal data structures are accessed
concurrently, causing a segmentation fault or use-after-free.

V8 requires that all JavaScript execution occurs on the thread that owns
the isolate. The cbFunction::call() method at line 54 provides no
v8::Locker, Nan::AsyncWorker, or uv_async_send mechanism to
schedule the callback on the correct thread.

Any nbind-based native addon that:

  1. Accepts a JavaScript callback via nbind::cbFunction &
  2. Stores it as a class member
  3. Invokes it from a C++ worker thread

...will crash the Node.js process. This pattern is common in real-world
addons performing async I/O, database queries, or CPU-intensive work.

Severity is High (CVSS 3.1: 7.5) due to:

  • Low attack complexity (single thread spawn)
  • No privileges or user interaction required
  • High availability impact (process crash, heap corruption)
  • Potential for arbitrary code execution via V8 heap state corruption

AFFECTED VERSIONS:
All versions including 0.3.15 (latest).

PRODUCT:
Package: nbind
Affected: >= 0.1.0, <= 0.3.15
Ecosystem: npm

PATHS:
include/nbind/v8/Callback.h (line 54)
include/nbind/v8/Output.h (line 159)

STEPS TO REPRODUCE:

  1. Create a C++ class with nbind bindings that accepts a callback
  2. Store the callback and invoke it from std::thread
  3. Load the addon in Node.js and call the method
  4. Process crashes with SIGSEGV when thread invokes callback

Example triggered from issue #115:
#115

PROPOSED MITIGATION:
Replace direct Nan::Call() with uv_async_send + libuv callback scheduling,
or require callers to use Nan::AsyncWorker for thread-safe callbacks.

CREDITS:
Discovered by Harsh Sharma

REFERENCES:

========================================================================
CVSS v3.1 CALCULATOR INPUT

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score: 7.5 (HIGH)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

========================================================================
CVE ID REQUEST

Requesting: 1 CVE ID
Preferred CNA: GitHub Security Advisories (fastest assignment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions