Node.Js Security Bug Fixes

Node.js recently has patched for  new security vulnerabilities. These vulnerabilities can be exploited by attackers to trigger denial of service attacks, bypass security restrictions, and disclose sensitive information.

Cookie Leakage in undici-fetch

The vulnerability is a high severity and  tracked as CVE-2023-45143, In undici, Cookie headers were not always cleared during cross-origin redirects. This discrepancy, stemming from undici’s more liberal handling of headers compared to the standard spec, could inadvertently expose cookies to third-party sites or even malicious entities controlling the redirection target. This could potentially leak sensitive cookie data to unintended recipients.

 Rapid Reset in HTTP/2

The vulnerability is a high severity and  tracked as CVE-2023-44487, Dubbed the “Rapid Reset”, this vulnerability can cause a denial of service when streams are quickly created and canceled. Alarmingly, this vulnerability is already being exploited in the wild. All HTTP/2 server users in active release lines 18.x and 20.x are susceptible.

 Path Traversal Vulnerabilities

The vulnerability is a high severity and  tracked as CVE-2023-39331 & CVE-2023-39332, Two separate but related vulnerabilities have come to light in the experimental permission model of Node.js 20.x. One arises due to insufficient protection against application overwriting built-in utility functions, and the other allows for path traversal via the Uint8Array class. All users utilizing the experimental permission model in Node.js 20.x are at risk.

Policy Integrity Compromised

The vulnerability is a medium severity and tracked as CVE-2023-38552 in Node.js’s policy feature, there’s a loophole where an application can intercept and return a forged checksum, bypassing the crucial integrity check process. All users using the experimental policy mechanism in release lines 18.x and 20.x may be affected.

Code Injection via WebAssembly

The vulnerability is a low severity and tracked as CVE-2023-39333, In a unique vulnerability, malicious export names in an imported WebAssembly module can inject JavaScript code. This code can potentially access data and functions beyond the module’s scope. Users of the –experimental-wasm-modules command line option in lines 18.x and 20.x are vulnerable.

Since updates are now available for the v18.x and v20.x Node.js release lines. The best way to protect yourself from these vulnerabilities is to upgrade to the latest version of Node.js as soon as possible.