Security Alert

Original date: 13.06.2018
Overall risk classification: MEDIUM

Overview

Node.js published security updates for all release lines. Depending on the configuration, Node.js applications may be susceptible to simple denial of service attacks [1, 2]. It is recommended to review whether your application is built on a vulnerable Node.js version and whether all prerequisite for the vulnerabilities are met. Generally, an update to the latest version is recommended.

Systems Affected

All active Node.js lines prior to the following versions are affected [2].

• Node.js 10.4.1 (Current)
• Node.js 9.11.2
• Node.js 8.11.3 (LTS “Carbon”)
• Node.js 6.14.3 (LTS “Boron”)

Threat

Risk: LOW / MEDIUM
All vulnerabilities published on the 12th of June allow an attacker to perform Denial-of-Service attacks. The risk of this impact depends on how critical availability is for your system.
Exploitability: MEDIUM / HIGH
All vulnerabilities can be exploited remotely. Some of them are only exploitable in special circumstances (e.g. HTTP/2 being used) while others are exploitable in very common configurations.
Priority (for affected, internet-exposed systems): MEDIUM
Priority (for internal systems): LOW

Mitigation

Update Node.js to the latest version – 10.4.1 (Current), 9.11.2, 8.11.3 (LTS “Carbon”), or 6.14.3 (LTS “Boron”).

Author

Björn Kirschner

References

[1] https://nodejs.org/en/blog
[2] https://groups.google.com/forum/#!topic/nodejs-sec/lsXouy5LPFo