14 DAY TRIAL // Two security issues were identified in the Node.js codebase, one of which is a high-impact vulnerability, affecting Node.js versions from 0.12.x to 5.x.
The Node.js team announced these vulnerabilities at the end of November and originally planned to issue a fix at the start of this week. Plans changed after the OpenSSL team also announced upcoming security fixes, so the Node team, to spare webmasters from installing two updates in the same week, pushed back their update to allow the OpenSSL project to release their fix as well.
Today, the OpenSSL developers launched versions 1.0.2e, 1.0.1q, 1.0.0t and 0.9.8zh, which include fixes for CVE-2015-3193, CVE-2015-3194, and CVE-2015-3195, all medium-level security issues.
As announced, the Node.js team soon followed suit with the releases of Node.js 5.1.1, 4.2.3, 0.12.9, and 0.10.41.
High-impact vulnerability in Node.js, patch now
These releases patched a DoS (Denial of Service) issue (CVE-2015-8027) affecting Node.js versions from 0.12.x to 5.x, and an out-of-bounds access vulnerability (CVE-2015-6764) affecting Node.js versions 4.x and 5.x.
Out of the two, the DoS issue is a high-impact vulnerability, with a CVSS severity score of 7.5 (out of 10). The issue was discovered by Node.js core team member Fedor Indutny, and as the Node team describes, it relates to HTTP pipelining.
"Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an uncaughtException to be thrown," explained the Node.js team in their December Security Release Summary.
Attackers could use this issue to trigger network-based attacks on Node.js servers, and crash the server without requiring any type of user interaction. Only Node.js applications that take user-supplied JavaScript are vulnerable to this issue.
Details about the Node.js CVEs will be released soon on MITRE, after webmasters are given a reasonable amount of time to patch their systems.
Since Node.js versions v0.10.x and 0.12.x depend on OpenSSL 1.0.1x and versions v4.x (LTS Argon) and 5.x depend on OpenSSL 1.0.2x, the recent OpenSSL updates have also been included in their appropriate Node.js versions.