9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
By Vladimir de Turckheim, 2022-09-15
Recommendation update regarding CVE-2022-35255: Roll-out and re-issue all keys generated with WebCrypto.subtle.generateKey()
. Re-evaluate the confidentiality of data encrypted with those keys.
Updates are now available for the v18.x, v16.x, and v14.x Node.js release lines for the following issues.
The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the http://0.0.0.0
URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving hosts in the .local domain.
An attacker-controlled DNS server can, resolve <Computer Name>.local
to any arbitrary IP address, and consequently cause the victim’s browser to load arbitrary content at http://0.0.0.0
. This allows the attacker to bypass the DNS rebinding protection.
Thank you, to Zeyu Zhang (@zeyu2001) for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.
Impacts:
Due to an incomplete fix for CVE-2022-32215, the llhttp parser in the http module in Node.js v16.16.0 and 18.7.0 still does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Thank you, Liav Gutman of the JFrog CSO Team for reporting this vulnerability and thank you Paolo Insogna for fixing it.
Impacts:
The fix for CVE-2022-32213 can be bypassed using an obs-fold, which the Node.js HTTP parser supports. If the Node.js HTTP module is used as a proxy, then it incorrectly parses the transfer-encoding header as indicative of chunked request, while folding the headers and hence forwarding Transfer-Encoding: chunked abc
which is not a valid transfer-encoding header to the downstream server. As such this can lead to HTTP request smuggling as indicated by CVE-2022-32213.
Thank you, Haxatron for reporting this vulnerability.
Impacts:
The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Thank you, VVX7 for reporting this vulnerability.
Impacts:
In Node.js 18 and later, at startup, the process attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf
on MacOS which ordinarily doesn’t exist. The attack would be an attacker with access to a shared MacOS host with a self-chosen username (iojs) being able to affect the OpenSSF configuration of other users.
Thank you, Michael Dawson for reporting (and fixing!) this vulnerability.
Impacts:
Node.js made calls to EntropySource()
in SecretKeyGenTraits::DoKeyGen()
in src/crypto/crypto_keygen.cc
. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail.
Thank you, Ben Noordhuis for reporting (and fixing!) this vulnerability.
Impacts:
Thanks a lot Rafael Gonzaga, Ruy Adorno, Bryan English and Paolo Insogna for the release work.
Some fixes of the security releases have been recently updated and the Node.js security team still needs an extra day of work to ensure the binaries are ready to release. We would like to thank you for your patience and understanding. The releases are now planned for September 23rd 2022.
The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Thursday, September 22nd, 2022 in order to address:
The 18.x release line of Node.js is vulnerable to four medium severity issues and two high severity issues.
The 16.x release line of Node.js is vulnerable to three medium severity issues and two high severity issues.
The 14.x release line of Node.js is vulnerable to three medium severity issues and one high severity issue.
Releases will be available on, or shortly after, Thursday, September 22nd, 2022.
The current Node.js security policy can be found at <https://nodejs.org/en/security/>. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at <https://groups.google.com/forum/#!forum/nodejs-sec> to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P