NOTICE: Node.js Denial of Service Vulnerability Fix
Description and CVSS Score
A bug was discovered in Node.js versions 4.0.0 to 4.1.1 whereby an attacker could cause a denial of service by exploiting a bug in HTTP handling that results in a prematurely terminated process. This bug has been fixed with Node.js v4.1.2. For your own safety, we highly recommend that you update immediately, available on nodejs.org.
HTTP and HTTPS servers are vulnerable, it is also likely that TLS terminators and/or load balancers in front of Node.js processes will not mitigate against the bug.
Are you vulnerable?
- Versions 0.10 and 0.12 of Node.js are not affected.
- Versions 4.0.0, 4.1.0 and 4.1.1 of Node.js are vulnerable.
- Versions 1 and 2 of io.js are not affected but remain unsupported and users of these versions are encouraged to migrate to Node.js v4 at their earliest convenience.
- Version 3 of io.js is vulnerable and while io.js v3 is unsupported, a patch release with a fix will be made available some time next week. Users of io.js v3 are encouraged to migrate to Node.js v4 as a matter of priority.
Common Vulnerability Scoring System (CVSS) v3 Base Score:
| Metric | Score |
|---|---|
| Base Score: | 5.9 (Medium) |
| Base Vector: | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector: | Network (AV:N) |
| Attack Complexity: | Medium (AC:H) |
| Privileges Required: | None (PR:N) |
| User Interaction: | None (UI:N) |
| Scope of Impact: | Unchanged (S:U) |
| Confidentiality Impact: | None (C:N) |
| Integrity Impact: | None (I:N) |
| Availability Impact: | High (A:H) |
Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H
CVE-2015-7384 is listed on the MITRE CVE dictionary and NIST NVD.
Action and updates
A new v4.1.2 release is available with appropriate fixes for this vulnerability along with disclosure of the details of the bug to allow for complete impact assessment by users. Download the new release at nodejs.org.
A new io.js v3.x release for users having trouble migrating to Node.js v4, however this release does not indicate continued official support of io.js release lines. You can find this update on iojs.org.
Contact and future updates
Please contact security@nodejs.org if you wish to report a vulnerability in Node.js.
Please subscribe to the low-volume announcement-only nodejs-sec mailing list to stay up to date with security vulnerabilities in Node.js and the projects maintained in the nodejs GitHub organisation.