NodeJS high security vulnerability fixes

articles/logo_nodejs.png

NodeJS fixed 2 high and 1 low vulnerabilities

NodeJS pushed bugfixes for vulnerabilities to 16, 14 and 12 as semver patches

Fixed versions of are 16.6.2, 14.17.5 and 12.22.5

Vulnerabilities:

High - improper handling of untypical characters in domain names

Which allowed remote code execution, XSS, domain hijacking, code injection and to crash application

High - use after free on close http2 on stream canceling

Which allowed attacker to exploit memory corruption to change application behavior to their liking

Low - Incomplete validation of rejectUnauthorized parameter

In case NodeJS HTTPS API was incorrectly implemented and undefined was passed for rejectUnauthorized parameter, then no errors were returned and connections to servers with expired certificates were allowed


It would be really good to update your NodeJS versions to latest patch, especially because of first two high vulnerabilities and no breaking changes were introduced with those patches

The Latest