The NodeSource Blog

Node.js Security Release Summary - October 2017

At NodeSource, we truly care about secure, reliable, and connected Node.js, and we want to ensure that you're informed about the security and stability of the Node.js platform.

Today, there was a security release for all active Node.js release lines. At time of publishing, the security vulnerability has been patched in semver minor releases of the Node.js 4.x, 6.x, and 8.x release lines. The patched versions are:

To understand the full impact that the patched vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, see below.

Node.js Security Impact Assessment

CVE-2017-14952: Remote DoS Attack via the zlib Dependency

  • Impact Level: Low
  • Affected Node.js Versions: 4.8.2 - 4.8.4, 6.10.2 - 6.11.5, 8.0.0 - 8.7.0

This vulnerability was introduced in an update of the zlib dependency to zlib@1.2.9, in which 8 became an invalid value for the windowBits parameter.

This issue is reproducibly exploitable remotely as a sever crash within a set of the existing WebSocket implementations, or custom implementations, for Node.js that request the value of 8 for windowBits. Additionally, you may be vulnerable if you are using zlib in other areas of your application.

The Node.js project addressed this issue by changing any instance of the value 8 being passed to windowBits from 8 to 9 in the deflate stream, causing minimal change for existing applications that may be already using this parameter.

Example of the affected code, as you would see it in an application or dependency:

zlib.createDeflateRaw({windowBits: 8})

AFFECTED VERSIONS OF NODE.JS

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.5
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.11.5
  • The Node.js 8 release line is affected. Please upgrade to Node.js 8.8.0

N|Solid Security Update - v2.3.4

We've updated N|Solid to version 2.3.4, which is now available. The release includes updated core Node.js versions for both the Argon and Boron release lines, which includes the patch to both Node.js Argon and Boron. You can download the updated version N|Solid now.

Stay Secure with Node.js

For businesses and teams that need to take risk out of their reliance on third-party Node.js modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for modules that power mission-critical business applications. We also offer extensive, enterprise-grade Node.js Support as well as professional services around Node.js to make sure that when you need help with Node.js, you’ll have someone on your side.