Security Fixes Released for Node.js – Source: securityboulevard.com

New releases of the popular Node.js JavaScript framework are available to address multiple vulnerabilities. The 16.x and 18.x LTS release lines address five new vulnerabilities with the 20.x Current release line fixing 10 new vulnerabilities. All updated versions also include fixes to the OpenSSL library that address vulnerabilities from their March, April, and May security releases. The LTS release lines also include fixes for known vulnerabilities in the c-ares library.

The new releases address three ‘High’ severity vulnerabilities in the 20.x release line one of which also affect the 16.x and 18.x release lines. It should be noted, however, that these ‘High’ severity vulnerabilities, including four of the ‘Medium’ severity issues in the 20.x release, only affect the experimental policy mechanism and permission model. These features were introduced to improve security but are experimental opt-in features. In general, it is not advised to enable experimental features on production systems.

Of the remaining vulnerabilities, CVE-2023-30589 is worth mentioning. It is an HTTP request smuggling vulnerability that is rated as having a ‘Medium’ severity. While the vulnerability is reported in Node.js itself, the root cause resides in the llhttp package for Node.js, which is a Node.js dependency. llhttp version 8.1.1 has been released to fix the vulnerability.

Vulnerability fixes in the 16.x and 18.x release lines

A complete list of the vulnerability fixes in the 16.x and 18.x release lines:

• CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
• CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
• CVE-2023-30588: Process interruption due to invalid Public Key information in x509 certificates (Medium)
• CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
• CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
• OpenSSL Security Releases
  • OpenSSL security advisory 28th March.
  • OpenSSL security advisory 20th April.
  • OpenSSL security advisory 30th May
• c-ares vulnerabilities:
  • GHSA-9g78-jv2r-p7vc
  • GHSA-8r8p-23f3-64c2
  • GHSA-54xr-f67r-4pc4
  • GHSA-x6mf-cxr9-8q6v

Vulnerability fixes in the 20.x release line

A complete list of the vulnerability fixes in the 20.x release line:

• CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
• CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
• CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
• CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
• CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
• CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
• CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
• CVE-2023-30588: Process interruption due to invalid Public Key information in x509 certificates (Medium)
• CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
• CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
• OpenSSL Security Releases
  • OpenSSL security advisory 28th March.
  • OpenSSL security advisory 20th April.
  • OpenSSL security advisory 30th May

Update vulnerable versions of Node.js

Systems with vulnerable Node.js installations should be updated to version 16.20.1, 18.16.1, or 20.3.1. Additional action by developers may be required since CVE-2023-30590, a weakness related to Diffie-Hellman key generation, was addressed by updating the documentation for the generateKeys() API function.