News

Node.js: Two critical HTTP security vulnerabilities found

Vulnerability testing and research are vital tasks in the cybersecurity community to keep software developments protected against the latest security threats. Recently, some updates were released for Node.js, which focus on fixing a critical vulnerability as well as two other high severity flaws.

It should be remembered that Node.js, created by Ryan Dahl, is a cross-platform, open-source runtime environment for the server layer based on the asynchronous ECMAScript programming language, with data I/O in an event-oriented architecture based on Google V8 engine.

The reported flaws, with their respective CVSS
trackers, are:

  • CVE-2019-15606: HTTP header values do not have
    final OWS trimmed. HTTP header values can have OWS at the end, but must be
    deleted. It is not semantically part of the header value, and if treated as
    part of the value, it can cause spurious inequality between expected and actual
    header values
  • CVE-2019-15605: Smuggling HTTP requests using an
    incorrectly formatted transfer encoding header
  • CVE-2019-15604: Remote activation of an assertion
    on a TLS server with an incorrectly formatted certificate string. Node.js is
    vulnerable to a TLS issue that could remotely trigger an assertion on a TLS
    server with an incorrectly formatted certificate string

According to the announcement of the
developers, the main update concerns HTTP analysis, which has strengthened
their security measures: “Although this may cause interoperability issues
with some unsupported implementations, it is possible to disable updated checks
with the line flag –insecure-http-parser
command
; the
use of an insecure HTTP parser should also be avoided.”

Vulnerability testing indicates that all
supported Nodes.js versions 10.x, 12.x, and 13.x are exposed to exploitation of
this flaw. Developers recommend that users install updates as soon as possible
to mitigate the risk of exploitation. Updated software development versions
are: 10.19.0, 12.15.0 and 13.8.0.

The collaborative work of independent researchers,
ethical hackers as well as the implementation of vulnerability testing
processes implemented by multiple firms and private organizations, such as the
International Institute of Cyber Security (IICS), help companies and widely
used tool developers stay ahead of the curve in today’s complex cybersecurity
landscape.

You Might Also Like