CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

By Rod Vagg, 2015-11-25

This announcement is for:

• CVE-2015-8027: a high-impact denial of service vulnerability
• CVE-2015-6764: a low-impact V8 out-of-bounds access vulnerability

CVE-2015-8027 Denial of Service Vulnerability

Description and CVSS Score

A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high (see CVSS scoring below) and users of the affected versions should plan to upgrade when a fix is made available.

• Versions 0.10.x of Node.js are not affected.
• Versions 0.12.x of Node.js are vulnerable.
• Versions 4.x, including LTS Argon, of Node.js are vulnerable.
• Versions 5.x of Node.js are vulnerable.

Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).

Common Vulnerability Scoring System (CVSS) v3 Base Score:

Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:R/CR:L/IR:L/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.

CVE-2015-8027 is listed on the MITRE CVE dictionary and NIST NVD.

CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

Description and CVSS Score

An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users (see CVSS scoring below), but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.

• Versions 0.10.x of Node.js are not affected.
• Versions 0.12.x of Node.js are not affected.
• Versions 4.x, including LTS Argon, of Node.js are vulnerable.
• Versions 5.x of Node.js are vulnerable.

Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).

Common Vulnerability Scoring System (CVSS) v3 Base Score:

Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:R/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.

CVE-2015-6764 is listed on the MITRE CVE dictionary and NIST NVD.

Action and updates

New releases of v0.12.x, v4.x and v5.x on Wednesday the 2nd of December 2015, UTC will be made available with appropriate fixes for CVE-2015-8027 and CVE-2015-6764 (for v4.x and v5.x only) along with disclosure of the details of the bug to allow for complete impact assessment by users.

Contact and future updates

Please contact [email protected] if you wish to report a vulnerability in Node.js.

Please subscribe to the low-volume announcement-only nodejs-sec mailing list at <https://groups.google.com/forum/#!forum/nodejs-sec&gt; to stay up to date with security vulnerabilities in Node.js and the projects maintained in thenodejs GitHub organization.