Multiple vulnerabilities in Node.js

1) Resource exhaustion

EUVDB-ID: #VU12573

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-7158

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the splitPathRe regular expression used in the core Node.js path module for POSIX path parsing functions due to resource exhaustion. A remote attacker can cause the service to crash by taking a non-trivial amount of time to parse the value against the RegEx.

Mitigation

Update to version 4.9.0.

Vulnerable software versions

Node.js: 4.8.0 - 4.8.7

External links

http://nodesource.com/blog/node-js-security-release-summary-march-2018/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) HTTP response splitting

EUVDB-ID: #VU12575

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-7159

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to write arbitrary files on the target system.

The weakness exists due to spaces in Content-Length HTTP headers from Node.js’s HTTP module entirely ignore spaces within the value, despite the HTTP specification not allowing spaces within the values. A remote attacker can confuse the script and write arbitrary files.

Mitigation

Update to version 4.9.0.

Vulnerable software versions

Node.js: 4.8.0 - 9.9.0

External links

http://nodesource.com/blog/node-js-security-release-summary-march-2018/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU12576

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-7160

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper validation of the Host header, leaving the inspector vulnerable to a DNS rebind attack and bypass same-origin policy. A remote attacker can trick the victim into opening a specially crafted website and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Node.js: 6.13.0 - 9.9.0

External links

http://nodesource.com/blog/node-js-security-release-summary-march-2018/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.