9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
By Rafael Gonzaga, 2022-10-24
The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well as the zlib vulnerability (CVE-2022-37434) patched on the zlib Security release of Oct 13 2022, does not affect Node.js.
Our assessment of the security advisory is:
NID_undef
may lead to NULL encryption (CVE-2022-3358)Node.js doesn’t call EVP_CIPHER_meth_new(NID_undef, ...)
. Therefore, Node.js is not affected by this vulnerability.
Our assessment of the CVE-2022-37434 is:
Node.js doesn’t call inflateGetHeader
. Therefore, Node.js is not affected by this vulnerability.
Further information, see: nodejs-dependency-vuln-assessments#50.
The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies.
This initiative aims to reduce the gap between a dependency security release and a Node.js assessment. The repository is available at nodejs/nodejs-dependency-vuln-assessments, and the assessments are made through the issues.
Ensure to watch the repository if you are interested in security patches.
The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security, including information on how to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at <https://groups.google.com/forum/#!forum/nodejs-sec> to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the Node.js GitHub organization.