Node.js update addresses high severity HTTP request smuggling, memory corruption bugs

Security updates have been released for Node.js to address multiple vulnerabilities, including a memory corruption bug and a flaw that opened the door to HTTP request smuggling attacks.

Node.js is an open source JavaScript runtime environment built on Chrome’s V8 JavaScript engine.

The latest update, which was rolled out on January 4, addresses a high impact use-after-free memory corruption flaw (CVE-2020-8265) that could result in denial of service “or potentially other exploits”.

“When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument,” the advisory explains.

“If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure.”

A second vulnerability (CVE-2020-8287) offered a means for attacks to launch HTTP request smuggling exploits.

Affected versions of Node.js allow two copies of a header field in an HTTP request. Node.js identifies the first header field and ignores the second, allowing for request smuggling attacks.

Both flaws have been fixed in all versions of the 10.x, 12.x, 14.x, and 15.x Node.js release lines.

Three’s a crowd

The latest security release also includes a fix to a vulnerability (CVE-2020-1971) impacting the OpenSSL cryptographic library that could be exploited through Node.js.

A security advisory issued by OpenSSL explains how the flaw could result in denial-of-service attacks.

Source: https://portswigger.net/daily-swig/node-js-update-addresses-high-severity-http-request-smuggling-memory-corruption-bugs