Service Notices
Node.js Security Vulnerabilities
Jan 06, 2021 GMT+08:00
I. Overview
Node.js has officially released the latest security notice, disclosing that multiple security vulnerabilities exist in released lines of 10.x, 12.x, 14.x, and 15.x.
CVE-2020-8265: A use-after-free (UAF) vulnerability in TLSWrap. It may be exploited to corrupt the memory, leading to DoS or other possible attacks.
CVE-2020-8287: An HTTP request smuggling vulnerability. It may cause unauthorized access to sensitive data or other security risks.
If you are a Node.js user, check your system and implement timely security hardening.
References:
https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Node.js versions earlier than v10.23.1 (LTS)
Node.js versions earlier than v12.20.1 (LTS)
Node.js versions earlier than v14.15.4 (LTS)
Node.js versions earlier than v15.5.1
Secure versions:
Node.js v10.23.1 (LTS)
Node.js v12.20.1 (LTS)
Node.js v14.15.4 (LTS)
Node.js v15.5.1 (Current)
IV. Vulnerability Handling
These vulnerabilities have been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.