The Node.js Foundation has pushed out a patch for its eponymous open source, cross-platform runtime environment for developing server-side web applications. The fix plugs two security vulnerabilities, one of which is a high-impact DoS issue (CVE-2015-8027). “This critical denial of service vulnerability impacts all versions of v0.12.x through to v5.x, inclusive,” the Foundation explained. “The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an uncaughtException to be thrown. As these conditions can be created by an external attacker and cause a Node.js service to be shut down we consider this a critical vulnerability. It is recommended that users of impacted versions of Node.js exposing HTTP services upgrade to the appropriate patched versions as soon as practical.”
View full story
ORIGINAL SOURCE: Help Net Security
