From InfoWorld: Node.js is facing two security vulnerabilities, including a potentially major denial-of-service issue, with patches for the problems not available for a week. Releases of Node.js ranging from 0.12 to version 5 are vulnerable to one or both issues.
A bulletin issued today by the Node.js Foundation, which has jurisdiction over the popular server-side JavaScript platform, covers "a high-impact denial-of-service vulnerability" and a "low-impact V8 out-of-bounds access vulnerability." V8 is the Google-developed JavaScript engine leveraged by Node.js. Officially, the DoS issue is labeled as CVE (Common Vulnerabilities and Exposures) 2015-8027, while the access problem is identified as CVE-2015-6764.
"We have two previously undisclosed vulnerabilities. One's not that a big deal [the out-of-bound access issue], one's a slightly bigger deal," said Mikeal Rogers, community manager for the foundation. "Both will be fixed on Wednesday (December 2)" via patches that will be available at Nodejs.org. Rogers said these vulnerabilities had not been exploited.
The bulletin describes the DoS vulnerability as widespread among Node versions. "A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high, and users of the affected versions should plan to upgrade when a fix is made available."
View: Article @ Source Site
