June 4, 2023

Node.js has released seven fixes for vulnerabilities in the JavaScript runtime environment that could lead to arbitrary code execution and HTTP request smuggling, among other attacks.

Three vulnerabilities are rated as medium severity  as mentioned below could lead to HTTP request smuggling

  • A flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213.
  • An improper delimiting of header fields issue, tracked as CVE-2022-32214.
  • An Incorrect parsing of multi-line transfer-encoding bug, tracked as CVE-2022-32215.
Advertisements

Impacts versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js.

Another high severity DNS rebinding vulnerability in –inspect via invalid IP addresses, tracked as CVE-2022-32212 could allow for arbitrary code execution, that bypasses of CVE-2021-22884.

A DLL Hijacking vulnerability on Windows tracked as CVE-2022-32223, and CVE-2022-32222, a medium-severity bug that could allow an attacker to attempt to read openssl.cnf from /home/iojs/build/ upon system startup.

The release also contains fixes for a vulnerability in OpenSSL tracked as CVE-2022-2097 that could cause encryption to fail in some circumstances.

Advertisements

All the vulnerabilities have been fixed in the latest versions, Node.js v14.20.0 (LTS), Node.js v16.16.0 (LTS), and Node.js v18.5.0.

Tags:

Leave a Reply

You may have missed

Cisco buys Armorblox

Cisco buys Armorblox

June 3, 2023
CISA KEV Update Part I – May 2023

CISA KEV Update Part I – May 2023

June 3, 2023
Gigabyte Motherboards Backdoor’ed

Gigabyte Motherboards Backdoor’ed

June 3, 2023
MOVEit Vulnerability Exploited in Wild

MOVEit Vulnerability Exploited in Wild

June 2, 2023
CasePoint Suffers a Data Breach

CasePoint Suffers a Data Breach

June 2, 2023
CyberArk Identity Security Web Browser

CyberArk Identity Security Web Browser

June 1, 2023
%d bloggers like this: