ALSA-2019:2925 Important: nodejs:10 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 10.16.3. Security Fixes: HTTP/2: large amount of data requests leads to denial of...

Important: nodejs:10 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 10.16.3. Security Fixes: HTTP/2: large amount of data requests leads to denial of...

Node.js third-party modules: [node-df] RCE via insecure command concatenation

I would like to report a RCE issue in the node-df module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: node-df version: 0.1.4 npm page: https://www.npmjs.com/package/node-df Module Description node-df abbreviation of disk free is a cross-platform...

Microsoft Warns of a New Rare Fileless Malware Hijacking Windows Computers

Watch out Windows users! There's a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it. Why? That's because, first, it's an advanced fileless malware and second, it...

Thousands of PCs Affected by Nodersok/Divergent Malware

New malware identified by Microsoft and Cisco Talos has affected thousands of PCs in the United States and Europe and turns systems into proxies for performing malicious activity, the companies said. The fileless threat—called Nodersok by Microsoft and Divergent by Cisco Talos—has many of its own...

Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware

We’ve discussed the challenges that fileless threats pose in security, and how Microsoft Defender Advanced Threat Protection Microsoft Defender ATP employs advanced strategies to defeat these sophisticated threats. Part of the slyness of fileless malware is their use of living-off-the-land...

F5 Networks BIG-IP : Node.js vulnerability (K27228191)

The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been...

Node.js third-party modules: [tree-kill] RCE via insecure command concatenation (only Windows)

I would like to report a RCE issue in the tree-kill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: tree-kill version: 1.2.1 npm page: https://www.npmjs.com/package/tree-kill Module Description Kill all processes in the process tree, including t...

Design/Logic Flaw

The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL...

CVE-2019-15138

CVE-2019-15138 affects the Node.js module html-pdf (v2.2.0). The vulnerability allows an arbitrary file read by processing an HTML file that uses an XMLHttpRequest to access a file:/// URL, enabling the server to exfiltrate local files (e.g., /etc/passwd). Public references in the Connected docum...

CVE-2019-15138

The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL...

Security Bulletin: Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE's (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739)

Summary Node.js as used in IBM QRadar Packet Capture is susceptible to the following vulnerabilities Vulnerability Details CVEID: CVE-2019-1559 Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after t...

Node.js third-party modules: Path traversal using symlink

I would like to report Path Traversal in statics-server Module module name: statics-server version: 0.0.9 npm page: https://www.npmjs.com/package/statics-server Module Description npm install statics-server -g Go to the folder you want to statics-server Run the server statics-server Module Stats...

Node.js third-party modules: [snekserve] Stored XSS via filenames HTML formatted

I would like to report a stored XSS issue in the snekserve module. It allows to inject HTML/JS code inside the directory listing : Module module name: snekserve version: 1.0.0 npm page: https://www.npmjs.com/package/snekserve Module Description Assuming you would like to serve a static site, sing...

Node.js third-party modules: [create-git] RCE via insecure command formatting

The create-git NPM module was vulnerable against command injection which was possible since some user supplied inputs were concatenated without proper checks inside a exec call, which made possible executing arbitrary commands besides the git one which is used by the tool. The PoC resulted in: js...

Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Spectrum LSF Suite, IBM Spectrum LSF Suite for HPA, and Spectrum LSF Explorer

Summary There are multiple vulnerabilities in Node.js used by IBM Spectrum LSF Suite, IBM Spectrum LSF Suite for HPA and Spectrum LSF Explorer. Vulnerability Details CVE-ID: CVE-2019-9511 Description: Multiple vendors are vulnerable to a denial of service, caused by a Data Dribble attack. By...

Node.js third-party modules: [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure

I would like to report a unauthenticated access/authorization bypass issue in the expressjs-ip-control module. It allows to bypass the whitelist IP check in order to bypass the authorization check and possibly expose sensitive datas. Module module name: MODULE NAME version: MODULE VERSION npm pag...

OpenSSL security releases do not require Node.js security releases

OpenSSL security releases do not require Node.js security releases Summary The OpenSSL Security releases of September 10th, 2019 do not affect Node.js. Analysis Our assessment of the security advisory is: ECDSA remote timing attack CVE-2019-1547 Not affected. Node supports only named curves for...

Node.js third-party modules: Path traversal in https://www.npmjs.com/package/http_server via symlink

I would like to report Path traversal in httpserver It allows an attacker to read arbitrary system files. Module module name: httpserver version: 1.0.12 npm page: https://www.npmjs.com/package/httpserver Module Description Copy description from npm page Module Stats Weekly downloads: 35...

Node.js third-party modules: [reveal.js] XSS by calling arbitrary method via postMessage

I would like to report XSS in reveal.js It allows gaining access to the victim's account and performing actions on his behalf Module module name: reveal.js version: 3.8.0 npm page: https://www.npmjs.com/package/reveal.js Module Description A framework for easily creating beautiful presentations...