7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
By Michael Dawson, 2017-10-24
Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement.
We recommend that all users upgrade as soon as possible.
Downloads
Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8
became an invalid value for the windowBits
parameter and Node’s zlib module will crash or throw an exception (depending on the version) if you call:
zlib.createDeflateRaw({windowBits: 8})
The windowBits
parameter controls how much of a message zlib keeps in memory while compressing it. A larger “window”, as it’s called, means more opportunities to spot and compress repeated bits of text, but results in higher memory usage. windowBits is the base-2 logarithm of the size of this window in bytes, and previously could take any integer value from 8 to 15.
This problem (Node.js crashing or throwing an exception) could be remotely exploited using some of the existing WebSocket clients that may request a value of 8
for windowBits
in certain cases or with a custom built WebSocket client. There may also exist other vectors through which a zLib operation would be initiated by a remote request with a window size that results in a value of windowBits
of 8.
This problem was resolved within Node.js by changing any request for a windowBits
size of 8 to use a windowsBits
size of 9 instead. This is consistent with previous zLib behavior and we believe minimizes the impact of the change on existing applications.
This vulnerability has been assigned CVE-2017-14919.
Original post is included below
The Node.js project will be releasing new versions of 4.x, 6.x, and 8.x the week of the 24th of October to incorporate a security fix.
Versions 4.8.2 and later, 6.10.2 and later, as well as all versions of 8.x are vulnerable to an issue that can be used by an external attacker to cause a denial of service. The severity of this vulnerability is HIGH and users of the affected version should plan to upgrade when a fix is made available.
Versions 4.8.2 and later of Node.js are vulnerable. Versions 6.10.2 and later of Node.js are vulnerable. Versions 8.x of Node.js are vulnerable.
Releases will be available at, or shortly after, the 24th of October along with disclosure of the details for the vulnerability in order to allow for complete impact assessment by users.
The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security.
Please contact [email protected] if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at <https://groups.google.com/forum/#!forum/nodejs-sec> to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P