CVE-2021-39228: Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory s...

Description

Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.31%

66.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Linuxfoundation	Tremor	>= 0.7.2, < 0.11.6

References

https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2ePatch, Third Party Advisory
https://github.com/tremor-rs/tremor-runtime/pull/1217Exploit, Patch, Third Party Advisory
https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6Release Notes, Third Party Advisory
https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85Mitigation, Third Party Advisory
https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2ePatch, Third Party Advisory
https://github.com/tremor-rs/tremor-runtime/pull/1217Exploit, Patch, Third Party Advisory
https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6Release Notes, Third Party Advisory
https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85Mitigation, Third Party Advisory

Timeline

Published: Sep 17, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-39228?

Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`.

How severe is CVE-2021-39228?

CVE-2021-39228 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.31% probability of exploitation in the next 30 days.

How do I fix CVE-2021-39228?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.