CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
91.5%
After a thorough assessment of the fixes we were planning on including, we have decided to scale back this security update to only include a subset. We are deferring some fixes while we improve the required API changes in order to decrease the disruption that it may cause to users. The vulnerabilities that the deferred fixes address are low severity.
Note that there is no Node.js v6 release in this set of updates as it is not impacted by the vulnerabilities being patched.
The fixes we are including in this update are:
Under certain conditions, V8 may improperly expand memory allocations in the Zone::New
function. This could potentially be used to cause a Denial of Service via buffer overflow or as a trigger for a remote code execution.
Although this bug is marked as high severity in the corresponding Chromium release (50.0.2661.102), our assessment is that this is low severity for Node.js users due to the level of difficulty in making use of this vulnerability. However, users are encouraged to upgrade their Node.js installation to ensure they are properly protected.
Prior to libuv version 1.7.4, a flaw in the read/write locks implementation for Windows XP and Windows 2003 could lead to unlocking a CRITICAL_SECTION on the wrong thread, resulting in undefined and potentially unsafe behavior. This problem was identified by Zhou Ran. Node.js v4 and later are not affected as the usage of read/write was replaced with simple mutexes. Further details can be found on the libuv repository.
Please note that this may be the final release of the v5.x line as support ends on the 30th of June.
Unfortunately we have to announce that we are delaying our security releases by a week. We have concluded that pushing forward with the releases this week would unnecessarily compromise the quality of the fixes we intended to include. Instead, we will be taking the extra time to be sure that we are delivering the stability and quality that Node.js users expect.
We now intend to make releases available on or soon after Thursday, the 23rd of June, 2016, UTC.
Original post is included below
The Node.js project has scheduled updates for all of its active release lines to patch two security flaws and one security-related usability flaw. We do not consider any of our updates to be critical, however, it is recommended that all production instances of Node.js be upgraded when the releases are made available.
We intend to make releases available on or soon after Thursday, the 16th of June, 2016, UTC.
We consider some of the patches in these releases to be API breaking changes which would normally warrant an increase in the major-version number of Node.js. However, in accordance with our security procedures we will be delivering these changes in minor-version increases (the y in x.y.z) where appropriate, and patch-version increases in v0.10 an v0.12 releases.
Therefore, we expect to be releasing:
While we anticipate minimal impact from the breaking changes, please be sure to review the details once they are released and make an assessment regarding the impact on your applications.
Additional notes:
The V8 team has identified and patched a potential security vulnerability. We will be backporting the fix to all active release lines of Node.js. Our current assessment is that this vulnerability should be considered low-severity for Node.js users with an exploit being very difficult to develop and execute.
All versions of Node.js are affected.
We will be including fixes relating to Node.js HTTP processing. We categorise these as low-severity and are not aware of any existing exploits leveraging the defects. Full details are embargoed until new releases are available.
Common Vulnerability Scoring System (CVSS) v3 Base Score:
Metric | Score |
---|---|
Base Score: | 4.8 (Medium) Base Vector: |
Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.
All versions of Node.js are affected.
This defect will identified as CVE-2016-5325
We intend to also include a patch for HTTP client in Node.js. While we do not consider this to be strictly a security concern for Node.js core, it poses a usability concern that may easily enable users to write code that exposes vulnerabilities in their applications.
All versions of Node.js are affected.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
91.5%