ADVISORY!
TLP : CLEAR
Date : 05/04/2024
REF NO : CERT / 2024/04/26
Node.js Multiple Vulnerabilities
Severity Level: Medium
Components Affected
- Node.js versions prior to 18.20.1 (LTS)
- Node.js versions prior to 20.12.1 (LTS)
- Node.js versions prior to 21.7.2 (Current)
Overview
Multiple vulnerabilities have been identified in Node.js. A remote attacker can exploit these vulnerabilities to trigger denial of service and security restriction bypass on the targeted system.
Description
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Impact
- Denial of Service
- Security Restriction Bypass
Solution/ Workarounds
Before installation of the software, please visit the vendor web-site for more details.
- Update to Node.js version 18.20.1 (LTS)
- Update to Node.js version 20.12.1 (LTS)
- Update to Node.js version 21.7.2 (Current)
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre
- Hotline : 101
- +94 11 269 1692
- Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
- General inquiry: cert@cert.gov.lk
- Security incidents: incidents@cert.gov.lk
- Social media incidents: report@cert.gov.lk
