The Node.js Foundation has announced vulnerabilities in Node.js where attackers could cause a denial of service.
In the post CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability Rod Vagg, director of the foundation's Technical Steering Committee, gave initial details of two separate vulnerabilities.
CVE-2015-8027 is described as "a high-impact denial of service vulnerability", and CVE-2015-6764 as "a low-impact V8 out-of-bounds access vulnerability." Vagg elaborated on the high impact of CVE-2015-8027, saying:
A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high and users of the affected versions should plan to upgrade when a fix is made available.
Node.js' own security update has been postponed to coincide with security updates announced by the OpenSSL project. The project's moderate severity vulnerabilities may affect all versions from 0.10.x to 5.0.
Commenting on the planned updates for Node.js, in the post December Security Release Schedule Update, Vagg said the team needed to consider "the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js." To prevent this Node's update will be made on December 4: two days later than originally planned.
"Patching and testing of OpenSSL updates is a non-trivial exercise and there will be significant delay after the OpenSSL releases before we can be confident that Node.js builds are stable and suitable for release," Vagg said.
The out-of-bounds Access Vulnerability identified in CVE-2015-6764 affects all versions of Node.js v4.x and v5.x. The medium-severity issue can give attackers the ability "to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application."
Node.js is closely reliant on OpenSSL, with versions v0.10.x and v0.12.x dependent on OpenSSL v1.0.1, and versions v4.x (LTS Argon) and v5.x on OpenSSL v1.0.2. Vagg says because OpenSSL is statically linked into binaries in the Node.js build process there will be "new releases of all actively maintained Node.js release lines" to protect users against potential vulnerabilities.
The OpenSSL project will no longer be releasing security updates for 1.0.0 and 0.9.8 releases from the end of this year.