The latest Node.js update, released on January 4, addresses a use-after-free memory corruption high-impact vulnerability. Tracked as CVE-2020-8265, successful exploit of the vulnerability could result in a denial of service (DoS) condition or could even trigger other flaws: “When writing to a TLS-enabled socket, node::StreamBase::Write calls node::TLSWrap::D orWrite with a newly assigned WriteWrap object as the first argument,” mentions the developer-issued security alert.
Apparently, if the DoWrite method does not return an error, this object is returned to the caller as part of a StreamWriteResult structure, cybersecurity experts add.
Another of the detected flaws (tracked as CVE-2020-8287) could be abused by threat actors to launch HTTP request smuggling exploits. Affected versions of Node.js allow two copies of a header field in an HTTP request; Node.js identifies the first header field and ignores the second, allowing this attack variant to be completed.
This update also includes fixes to CVE-2020-1971, a vulnerability that affects the OpenSSL cryptographic library that could be exploited through Node.js. The detected flaws were fixed in all Node.js 10.x, 12.x, 14.x, and 15.x versions. Affected deployment administrators are encouraged to update as soon as possible.