Node.js discloses two critical security vulnerabilities

Node.js is facing two security vulnerabilities, including a potentially major denial-of-service issue, with patches for the problems not available for a week. Releases of Node.js ranging from 0.12 to version 5 are vulnerable to one or both issues.

A bulletin issued today by the Node.js Foundation, which has jurisdiction over the popular server-side JavaScript platform, covers “a high-impact denial-of-service vulnerability” and a “low-impact V8 out-of-bounds access vulnerability.” V8 is the Google-developed JavaScript engine leveraged by Node.js. Officially, the DoS issue is labeled as CVE (Common Vulnerabilities and Exposures) 2015-8027, while the access problem is identified as CVE-2015-6764.

The bulletin describes the DoS vulnerability as widespread among Node versions. “A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high, and users of the affected versions should plan to upgrade when a fix is made available.”

The out-of-bounds vulnerability description is less dire. “An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users, but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.” The 0.10x and 0.12x lines are not affected.

Despite the seriousness of the security issues, Node representatives stressed that users shouldn’t be worried. The threat to the community is “minimal,” Rogers said. “In fact, we already have fixes for both. It is a routine part of our security policy, which we take seriously, to inform our community of vulnerabilities, and then give them time to plan for an upgrade.”

Rogers said Node.js security is under more scrutiny since the formation of the foundation, which is affiliated with the Linux Foundation. “We have much more formal and proper security policy now.”

Related posts

The Imperative of Robust Business Continuity Amidst Technology Disruptions

Closing the Cybersecurity Skill Gap: The Crucial Role of GenAI in Training and Supporting Cybersecurity Professionals

Enhancing Supplier Security Monitoring with AI and ML

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More