11. August 2021
NodeJS high security vulnerability fixes
NodeJS fixed 2 high and 1 low vulnerabilities
NodeJS pushed bugfixes for vulnerabilities to 16, 14 and 12 as semver patches
Fixed versions of are 16.6.2, 14.17.5 and 12.22.5
Vulnerabilities:
High - improper handling of untypical characters in domain names
Which allowed remote code execution, XSS, domain hijacking, code injection and to crash application
High - use after free on close http2 on stream canceling
Which allowed attacker to exploit memory corruption to change application behavior to their liking
Low - Incomplete validation of rejectUnauthorized parameter
In case NodeJS HTTPS API was incorrectly implemented and undefined
was passed for rejectUnauthorized
parameter,
then no errors were returned and connections to servers with expired certificates were allowed
It would be really good to update your NodeJS versions to latest patch, especially because of first two high vulnerabilities and no breaking changes were introduced with those patches