The NodeSource Blog

Node.js Security Release Summary - March 2018

Today, there was a security release for all active Node.js release lines. At time of publishing, several vulnerabilities ranging from very low to high impact in semver minor releases of the Node.js 4.9.0, 6.14.0, 8.11.0, and 9.10.0 release lines. The patched versions are:

To understand the full impact that the patched vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, see below.

Node.js Security Impact Assessment

CVE-2018-7160: Node.js Inspector DNS Rebinding

  • Impact Level: High

  • Affected Node.js Versions: Node.js =< v6.13.1, Node.js =< v8.10.0, Node.js =< 9.9.0

The debugger protocol present in Node.js 6 LTS and later was discovered to be vulnerable to a DNS rebinding attack that could be exploited to perform remote code execution on machines running Node.js with the --inspect flag.

Malicious websites open on the same computer or devices on the same network as a computer could use a DNS rebinding attack to get around browsers’ same-origin policy checks. This would enable malicious websites or devices to connect via HTTP to localhost or hosts on the local network, and have the ability to execute code remotely.

Node.js has updated the Inspector API to check for a Host header and ensure that the connection is to localhost if the connection is via hostname.

Affected Node.js Release Lines

  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.14.0.
  • The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.11.0.
  • The Node.js 9 release line is affected. Please upgrade to Node.js 9.10.0.

CVE-2018-7158: RegEx Denial of Service in path module

  • Impact Level: High
  • Affected Node.js Versions: Node.js =< 4.8.7

The splitPathRe regular expression used in the core Node.js path module for POSIX path parsing functions was built in a way that could allow an attacker to exploit the RegEx to perform a denial of service by taking a non-trivial amount of time to parse the value against the RegEx.

This regular expression was replaced in later release lines of Node.js, so only the Node.js v4 release line is affected.

Affected Node.js Release Lines

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.9.0.

CVE-2018-7159: Spaced Ignored in Content-Length HTTP Headers

  • Impact Level: Very Low
  • Affected Node.js Versions: Node.js =< 4.8.7, Node.js =< v6.13.1, Node.js =< v8.10.0, Node.js =< 9.9.0

Until this release, spaces in Content-Length HTTP headers from Node.js’s HTTP module would entirely ignore spaces within the value, despite the HTTP specification not allowing spaces within the values. Node.js’s HTTP parser has now been fixed to address this discrepancy.

Affected Node.js Release Lines

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.9.0.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.14.0.
  • The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.11.0.
  • The Node.js 9 release line is affected. Please upgrade to Node.js 9.10.0.

CVE-2018-0739: OpenSSL patch to resolve potential DoS in PKCS#7

  • Impact Level: None / Very Low
  • Affected Node.js Versions: Node.js =< 4.8.7, Node.js =< v6.13.1, Node.js =< v8.10.0, Node.js =< 9.9.0

This is an update to OpenSSL from OpenSSL 1.0.2n to 1.0.2o, which patches a potential Denial of Service in PKCS#7.

By default PKCS#7 is unsupported by Node.js, so the flaw does not impact Node.js’s SSL or TLS functionality. The Node.js Crypto team has stated that they do not believe there is any impact from this vulnerability on Node.js users.

This update also includes a few minor changes to the OpenSSL codebase, as would be expected from an OpenSSL release. OpenSSL has been updated for all Node.js release lines.

Affected Node.js Release Lines

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.9.0.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.14.0.
  • The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.11.0.
  • The Node.js 9 release line is affected. Please upgrade to Node.js 9.10.0.

Update Root Certificates Included in Node.js Core

  • Impact Level: None Assigned
  • Affected Node.js Versions: Node.js =< 4.8.7, Node.js =< v6.13.1, Node.js =< v8.10.0, Node.js =< 9.9.0

All release lines included an update to the root certificates that are bundled within Node.js. There were 5 new root certificates added and 30 old root certificates that were removed. See the PR for a full list of those certificates.

If you have concerns about the certificates being removed, you can use the NODE_EXTRA_CA_CERTS environment variable if absolutely required, or use the ca option when creating a TLS or HTTPS server to provide a custom built list of your trusted certs.

Affected Node.js Release Lines

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.9.0.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.14.0.
  • The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.11.0.
  • The Node.js 9 release line is affected. Please upgrade to Node.js 9.10.0.

Reminder: Node.js v4 "Argon" LTS EOL is Rapidly Approaching

Node.js v4 "Argon" LTS will be going EOL on April 30th. Once EOL, Node.js v4 will receive no further security updates nor any bug fixes should any issues with the release line be reported.

If you are still on Node.js v4 and need to upgrade for this security release, now may be a good time to also investigate upgrading your Node.js version from the Node.js 4 LTS to the Node.js 6 or Node.js 8 LTS release lines.

Stay Secure with Node.js

Node.js is a highly reliable and actively maintained platform. That said, the code you rely on isn’t always part of Node.js. If you’re deploying Node.js applications to production, you should be actively monitoring the code you’re deploying for performance degradation and vulnerabilities introduced by third-party code.

NodeSource can help you monitor your production code for issues in real-time with N|Solid, a Node.js runtime built to meet the needs of the enterprise. We also offer extensive, enterprise-grade Node.js Support as well as professional services around Node.js to make sure that when you need help with Node.js, you’ll have someone on your side.