Home Cyber Crime Node.js developers fix high-risk vulnerability that could allow remote domain hijacking

Node.js developers fix high-risk vulnerability that could allow remote domain hijacking


Customers of the JS framework have to patch now

A vulnerability in Node.js that could allow a remote actor to perform domain hijacking attacks has been fixed

A vulnerability in Node.js that would permit a distant actor to carry out area hijacking assaults has been fastened.

The maintainers of the JavaScript runtime setting have launched a security advisory right now (August 12) warning customers to replace to the most recent model to guard towards a sequence of bugs.

The primary vulnerability (CVE-2021-3672/CVE-2021-2293) is an improper dealing with of untypical characters in domains, which opened the door to remote code execution (RCE), or cross-site scripting (XSS) exploits.

The flaw, which was classed as excessive severity, additionally triggered software crashes resulting from lacking enter validation of hostnames returned by Area Identify Servers within the Node.js DNS library.

This might result in the output of incorrect hostnames – inflicting area hijacking – and injection vulnerabilities in functions utilizing the library.

Read more of the latest security vulnerability news

A second vulnerability (CVE-2021-22939) is the unfinished validation of rejectUnauthorized parameter.

If the Node.js HTTPS API was used incorrectly and undefined was in handed for the rejectUnauthorized parameter, no error was returned and connections to servers with an expired certificates would have been accepted. It was classed as low severity.

READ Popular Node.js package vulnerable to command injection attacks

Lastly, a use-after-free flaw (CVE-2021-22930) which might permit an attacker to use reminiscence corruption to vary course of habits was included as a follow-up repair after earlier mitigations didn’t fully resolve the difficulty.

All customers ought to improve to the most recent model of Node.js to be protected towards the issues. Extra info may be discovered at the Node.js blog.

Injection assaults reloaded

The safety advisory was launched on the identical day that a research paper (PDF) associated to this subject was revealed.

Researchers Philipp Jeitner and Haya Shulman are resulting from focus on their work on the Usenix convention, which is held nearly right now.

Within the analysis, titled ‘Injection Assaults Reloaded: Tunnelling Malicious Payloads over DNS’, they reveal “a brand new technique to launch string injection assaults by encoding malicious payloads into DNS information”.

RELATED Potential remote code execution vulnerability uncovered in Node.js apps

Source link