I. Overview

Node.js has officially released the latest security notice, disclosing that multiple security vulnerabilities exist in released lines of 10.x, 12.x, 14.x, and 15.x.

CVE-2020-8265: A use-after-free (UAF) vulnerability in TLSWrap. It may be exploited to corrupt the memory, leading to DoS or other possible attacks.

CVE-2020-8287: An HTTP request smuggling vulnerability. It may cause unauthorized access to sensitive data or other security risks.

If you are a Node.js user, check your system and implement timely security hardening.

References:

https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Node.js versions earlier than v10.23.1 (LTS)

Node.js versions earlier than v12.20.1 (LTS)

Node.js versions earlier than v14.15.4 (LTS)

Node.js versions earlier than v15.5.1

Secure versions:

Node.js v10.23.1 (LTS)

Node.js v12.20.1 (LTS)

Node.js v14.15.4 (LTS)

Node.js v15.5.1 (Current)

IV. Vulnerability Handling

These vulnerabilities have been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

Node.js v10.23.1 (LTS)

Node.js v12.20.1 (LTS)

Node.js v14.15.4 (LTS)

Node.js v15.5.1 (Current)

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.