Node.js maintainers have released multiple fixes for vulnerabilities in the JavaScript runtime environment that could lead to arbitrary code execution and HTTP request smuggling, among other attacks.
In an advisory released last night (July 7), the details of seven now-patched bugs were released, including three separate HTTP Request Smuggling vulnerabilities.
Read more of the latest news about security vulnerabilities
These three vulnerabilities – a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213; an improper delimiting of header fields issue, tracked as CVE-2022-32214; and an Incorrect parsing of multi-line transfer-encoding bug, tracked as CVE-2022-32215 – could all lead to HTTP request smuggling.
These bugs, which were all rated as medium severity, impact all versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js.
Other issues
The advisory also contains details of a DNS rebinding vulnerability in –inspect via invalid IP addresses.
Rated as high severity, the bug (CVE-2022-32212) could allow for arbitrary code execution, the advisory warns.
“The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not.
“When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” the post reads. The vulnerability impacts all versions of the 18.x, 16.x, and 14.x releases lines.
The advisory also details a DLL Hijacking vulnerability on Windows (CVE-2022-32223), and CVE-2022-32222, a medium-severity bug that could allow an attacker to attempt to read openssl.cnf from /home/iojs/build/ upon system startup.
Finally, the release also contains fixes for a vulnerability in OpenSSL, as previously reported by The Daily Swig.
The moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances.
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written.
In the special case of ‘in place’ encryption, sixteen bytes of the plaintext could be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.
All of the vulnerabilities have been fixed in the latest versions, Node.js v14.20.0 (LTS), Node.js v16.16.0 (LTS), and Node.js v18.5.0 (Current).
Source: https://portswigger.net/daily-swig/node-js-fixes-multiple-bugs-that-could-lead-to-rce-http-request-smuggling