The NodeSource Blog

Node.js Security Release Summary - September 2017

The recent Node.js 8.5.0 release included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.

At the time of publishing, the security vulnerability haves been patched in a semver-minor release of the Node.js 8.x release line. The patched version is:

To understand the full impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, you can find details of the releases below.

At NodeSource, we truly care about secure, reliable, and connected Node.js, and we want to ensure that you're informed about the security and stability of the Node.js platform.

Node.js Security Impact Assessment

CVE-2017-14849: Path Validation Vulnerability

  • Impact Level: Medium
  • Affected Node.js Versions: 8.5.0

The recent Node.js 8.5.0 added a commit that triggered a vulnerability through checks on paths made by some third-party, community-maintained modules. The vulnerability enabled the possibility for an attacker to gain access to paths outside the ones that would be normally expected within the scope of an application.

Affected versions of Node.js

  • Node.js 8.5.0 is affected. Please upgrade to Node.js 8.6.0.
  • Node.js 6.x.x LTS is not affected.
  • Node.js 4.x.x LTS is not affected.

N|Solid Security Update - No Vulnerability

We don't currently support N|Solid on the Node.js 8.x release branch, but will be supporting it once Node.js 8.x becomes LTS at the end of October. Current N|Solid customers are not affected by the vulnerability if they are running a supported LTS version. A patched version of Node.js will be included once we support N|Solid with Node.js 8 LTS, in addition to the other release lines.

Stay Secure with Node.js

For businesses and teams that need to take risk out of their reliance on third-party Node.js modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for the modules that they rely on to run mission-critical business applications. We also offer extensive, enterprise-grade Node.js Support as well as an Architecture Evaluation to make sure that when you need help with Node.js, you can have someone to call.