The first of the reported flaws, tracked as CVE-2021-22931, was described as a bug in handling atypical characters in domain names that could be exploited to deploy cross-site scripting (XSS) attacks, remote code execution, and force faults in the affected application.
Apparently, the flaw exists because Node.js does not correctly validate the entry of host names returned by servers in the Node.js DNS library, making it easier to exit incorrect domain names. This flaw is considered a high severity one.
On the other hand, CVE-2021-22930 is a use-after-free vulnerability in HTTP2 stream cancellation. Malicious actors could abuse a memory corruption scenario to disrupt the proper functioning of the process, resulting in the compromise of the affected application. Researchers consider this to be a vulnerability of medium severity.
Finally, CVE-2021-22939 is an incomplete validation flaw of the unauthorized reject parameter. According to the report, if the Node HTTPS API.js was used incorrectly and “undefined” was passed for the “verifyUnauthorized” parameter, the system does not respond with an error and connections to servers with an expired or forged certificate are accepted. This vulnerability is considered to be a bug of medium severity.
So far the exact score that these vulnerabilities will receive according to the Common Vulnerability Scoring System (CVSS) is still unknown; nonetheless, the report highlights that none of the reported flaws have been exploited in real scenarios.
Users of affected deployments should be aware the official Node.js platforms to know what are the best ways to prevent the exploitation of these flaws or the exact date when official security patches will be available.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.