Node.js developers fix high-risk vulnerability that could allow remote domain hijacking

guest · Aug 13, 2021

Node.js developers fix high-risk vulnerability that could allow remote domain hijacking
Users of the JS framework need to patch now
August 12, 2021
https://portswigger.net/daily-swig/...lity-that-could-allow-remote-domain-hijacking

A vulnerability in Node.js that could allow a remote actor to perform domain hijacking attacks has been fixed.
The maintainers of the JavaScript runtime environment have released a security advisory today (August 12) warning users to update to the latest version to protect against a series of bugs.

The first vulnerability (CVE-2021-3672/CVE-2021-2293) is an improper handling of untypical characters in domain names, which opened the door to remote code execution (RCE), or cross-site scripting (XSS) exploits.
Click to expand...

A second vulnerability (CVE-2021-22939) is the incomplete validation of rejectUnauthorized parameter.

Finally, a use-after-free flaw (CVE-2021-22930) which could allow an attacker to exploit memory corruption to change process behavior was included as a follow-up fix after previous mitigations did not completely resolve the issue.
All users should upgrade to the latest version of Node.js to be protected against the flaws. More information can be found at the Node.js blog.
Click to expand...

Log in or Sign up

Node.js developers fix high-risk vulnerability that could allow remote domain hijacking

guest Guest

Log in or Sign up

Node.js developers fix high-risk vulnerability that could allow remote domain hijacking

guest Guest

Useful Searches