Developers urged to update now to protect their server-side applications
The latest update, which was rolled out on January 4, addresses a high impact use-after-free memory corruption flaw (CVE-2020-8265) that could result in denial of service “or potentially other exploits”.
“When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument,” the advisory explains.
“If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure.”
A second vulnerability (CVE-2020-8287) offered a means for attacks to launch HTTP request smuggling exploits.
Affected versions of Node.js allow two copies of a header field in an HTTP request. Node.js identifies the first header field and ignores the second, allowing for request smuggling attacks.
Both flaws have been fixed in all versions of the 10.x, 12.x, 14.x, and 15.x Node.js release lines.
Three’s a crowd
The latest security release also includes a fix to a vulnerability (CVE-2020-1971) impacting the OpenSSL cryptographic library that could be exploited through Node.js.
A security advisory issued by OpenSSL explains how the flaw could result in denial-of-service attacks.