mickmick.net

Node.js Multiple Vulnerabilities

Release Date: 16 Oct 2023

RISK: Extremely High Risk

TYPE: Servers - Other Servers

Multiple vulnerabilities have been identified in Node.js. A remote attacker can exploit these vulnerabilities to trigger denial of service, security restriction bypass and sensitive information disclosure on the targeted system.

 

Note:

CVE-2023-44487 is a denial-of-service (DoS) vulnerability in HTTP/2 protocol. The vulnerability known as Rapid Reset, has been exploited in the wild.

---

Impact

• Security Restriction Bypass
• Information Disclosure
• Denial of Service

---

System / Technologies affected

• Node.js versions prior to 18.18.2 (LTS)
• Node.js versions prior to 20.8.1

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

• Update to Node.js version 18.18.2(LTS)
• Update to Node.js version 20.8.1

---

Vulnerability Identifier

• CVE-2023-38552
• CVE-2023-39331
• CVE-2023-39332
• CVE-2023-39333
• CVE-2023-44487
• CVE-2023-45143

---

Source

• nodejs

---

Related Link

• https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
• https://nodejs.org/en/blog/release/v20.8.1
• https://nodejs.org/en/blog/release/v18.18.2