node.js could run malicious code
The vulnerability with the highest severity is based on bypassing bug fixes for a security problem that was already fixed last year (CVE-2021-22884) – a common flaw, according to Google, half of the zero-day gaps on it. The check on
IsAllowedHost Attackers can bypass because the feature
IsIPAddress does not correctly check whether an address is valid or not.
Attackers can trigger a DNS request from the web browser by specifying invalid values (the developers give 10.0.2.555 as an example as the IP). If they are in a man-in-the-middle position or control the DNS server, they could forge DNS responses to trigger a rebind attack and connect to the WebSocket debugger – and thus execute arbitrary code (CVE-2022 -32212, no CVSS score yet, risk “high“).
In addition, node.js could be injected into Windows with manipulated libraries if OpenSSL is installed and a configuration file is in the path
C:Program FilesCommon FilesSSLopenssl.cnf exists. In that case searches
providers.dll in the Windows DLL search path and would include a library deposited by attackers in these paths (CVE-2022-32223, no CVSS score yet, high). The 18 branch of node.js is not affected by the vulnerability.
In their blog post, the developers of node.js classify the other vulnerabilities as medium risk (CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-32222 and CVE-2022-2097) . With the new versions node.js 18.5.0, 16.16.0 (LTS) and 14.20.0 (LTS) the project closes these security gaps. Administrators should apply the updates expeditiously.