The NodeSource Blog

Security Release for NSolid Version 3.8.3

This is a security release for Node.js and includes the following changes:

Vulnerabilities fixed in Node.js

This release include fixes for the following vulnerabilities in Node.js:

  • CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
  • CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
  • CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.

Additional References

For details bout the Node.js security releases and corresponding vulnerabilities, please refer to the links below:

  • Node v10.19.0 (LTS) (see here)
  • Node v12.15.0 (LTS) (see here)

The NodeSource platform offers a high-definition view of the performance, security and behavior of Node.js applications and functions.

Start for Free