Node.js discloses two critical security vulnerabilities

The Node.js Foundation revealed a denial-of-service and an out-of-bounds access issue and said the fixes will come next week

Node.js is facing two security vulnerabilities, including a potentially major denial-of-service issue, with patches for the problems not available for a week. Releases of Node.js ranging from 0.12 to version 5 are vulnerable to one or both issues.

A bulletin issued today by the Node.js Foundation, which has jurisdiction over the popular server-side JavaScript platform, covers "a high-impact denial-of-service vulnerability" and a "low-impact V8 out-of-bounds access vulnerability." V8 is the Google-developed JavaScript engine leveraged by Node.js. Officially, the DoS issue is labeled as CVE (Common Vulnerabilities and Exposures) 2015-8027, while the access problem is identified as CVE-2015-6764.

"We have two previously undisclosed vulnerabilities. One's not that a big deal [the out-of-bound access issue], one's a slightly bigger deal," said Mikeal Rogers, community manager for the foundation. "Both will be fixed on Wednesday (December 2)" via patches that will be available at Nodejs.org. Rogers said these vulnerabilities had not been exploited.

The bulletin describes the DoS vulnerability as widespread among Node versions. "A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high, and users of the affected versions should plan to upgrade when a fix is made available."

The out-of-bounds vulnerability description is less dire. "An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users, but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027." The 0.10x and 0.12x lines are not affected.

Despite the seriousness of the security issues, Node representatives stressed that users shouldn't be worried. The threat to the community is "minimal," Rogers said. "In fact, we already have fixes for both. It is a routine part of our security policy, which we take seriously, to inform our community of vulnerabilities, and then give them time to plan for an upgrade." 

Rogers said Node.js security is under more scrutiny since the formation of the foundation, which is affiliated with the Linux Foundation. "We have much more formal and proper security policy now."

Source: Infoworld