Node.js has released seven fixes for vulnerabilities in the JavaScript runtime environment that could lead to arbitrary code execution and HTTP request smuggling, among other attacks.
Three vulnerabilities are rated as medium severity as mentioned below could lead to HTTP request smuggling
- A flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213.
- An improper delimiting of header fields issue, tracked as CVE-2022-32214.
- An Incorrect parsing of multi-line transfer-encoding bug, tracked as CVE-2022-32215.
Impacts versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js.
Another high severity DNS rebinding vulnerability in –inspect via invalid IP addresses, tracked as CVE-2022-32212 could allow for arbitrary code execution, that bypasses of CVE-2021-22884.
A DLL Hijacking vulnerability on Windows tracked as CVE-2022-32223, and CVE-2022-32222, a medium-severity bug that could allow an attacker to attempt to read openssl.cnf from /home/iojs/build/ upon system startup.
The release also contains fixes for a vulnerability in OpenSSL tracked as CVE-2022-2097 that could cause encryption to fail in some circumstances.
All the vulnerabilities have been fixed in the latest versions, Node.js v14.20.0 (LTS), Node.js v16.16.0 (LTS), and Node.js v18.5.0.
