Security Release for DOS Vulnerability in Node.js

| by James Chesters Follow 1 Followers on Dec 01, 2015. Estimated reading time: 1 minute |

The Node.js Foundation has announced vulnerabilities in Node.js where attackers could cause a denial of service.

In the post CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability Rod Vagg, director of the foundation's Technical Steering Committee, gave initial details of two separate vulnerabilities.

CVE-2015-8027 is described as "a high-impact denial of service vulnerability", and CVE-2015-6764 as "a low-impact V8 out-of-bounds access vulnerability." Vagg elaborated on the high impact of CVE-2015-8027, saying:

A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high and users of the affected versions should plan to upgrade when a fix is made available.

Node.js' own security update has been postponed to coincide with security updates announced by the OpenSSL project. The project's moderate severity vulnerabilities may affect all versions from 0.10.x to 5.0.

Commenting on the planned updates for Node.js, in the post December Security Release Schedule Update, Vagg said the team needed to consider "the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js." To prevent this Node's update will be made on December 4: two days later than originally planned.

"Patching and testing of OpenSSL updates is a non-trivial exercise and there will be significant delay after the OpenSSL releases before we can be confident that Node.js builds are stable and suitable for release," Vagg said.

The out-of-bounds Access Vulnerability identified in CVE-2015-6764 affects all versions of Node.js v4.x and v5.x. The medium-severity issue can give attackers the ability "to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application."

Node.js is closely reliant on OpenSSL, with versions v0.10.x and v0.12.x dependent on OpenSSL v1.0.1, and versions v4.x (LTS Argon) and v5.x on OpenSSL v1.0.2. Vagg says because OpenSSL is statically linked into binaries in the Node.js build process there will be "new releases of all actively maintained Node.js release lines" to protect users against potential vulnerabilities.

The OpenSSL project will no longer be releasing security updates for 1.0.0 and 0.9.8 releases from the end of this year.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you