Node.js: Two critical HTTP security vulnerabilities found

Vulnerability testing and research are vital tasks in the cybersecurity community to keep software developments protected against the latest security threats. Recently, some updates were released for Node.js, which focus on fixing a critical vulnerability as well as two other high severity flaws.

It should be remembered that Node.js, created by Ryan Dahl, is a cross-platform, open-source runtime environment for the server layer based on the asynchronous ECMAScript programming language, with data I/O in an event-oriented architecture based on Google V8 engine.

The reported flaws, with their respective CVSS trackers, are:

  • CVE-2019-15606: HTTP header values do not have final OWS trimmed. HTTP header values can have OWS at the end, but must be deleted. It is not semantically part of the header value, and if treated as part of the value, it can cause spurious inequality between expected and actual header values
  • CVE-2019-15605: Smuggling HTTP requests using an incorrectly formatted transfer encoding header
  • CVE-2019-15604: Remote activation of an assertion on a TLS server with an incorrectly formatted certificate string. Node.js is vulnerable to a TLS issue that could remotely trigger an assertion on a TLS server with an incorrectly formatted certificate string

According to the announcement of the developers, the main update concerns HTTP analysis, which has strengthened their security measures: “Although this may cause interoperability issues with some unsupported implementations, it is possible to disable updated checks with the line flag –insecure-http-parser command; the use of an insecure HTTP parser should also be avoided.”

Vulnerability testing indicates that all supported Nodes.js versions 10.x, 12.x, and 13.x are exposed to exploitation of this flaw. Developers recommend that users install updates as soon as possible to mitigate the risk of exploitation. Updated software development versions are: 10.19.0, 12.15.0 and 13.8.0.

The collaborative work of independent researchers, ethical hackers as well as the implementation of vulnerability testing processes implemented by multiple firms and private organizations, such as the International Institute of Cyber Security (IICS), help companies and widely used tool developers stay ahead of the curve in today’s complex cybersecurity landscape.