Friday October 13 2023 Security Releases

Rafael Gonzaga

(Update 13-October-2023) Security releases available

Updates are now available for the v18.x and v20.x Node.js release lines for the following issues.

Undici did not always clear Cookie headers on cross-origin redirects. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

More details area available in GHSA-wqq4-5wpv-mx2g

nghttp2 - HTTP/2 Rapid Reset (High) - (CVE-2023-44487)

Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound causes denial of service. See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.

Impacts:

  • This vulnerability affects all users of HTTP/2 servers in all active release lines 18.x and 20.x.

Permission model improperly protects against path traversal (High) - (CVE-2023-39331)

A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations.

Impacts:

  • This vulnerability affects all users using the experimental permission model in Node.js 20.x.

Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js.

Thanks to Tobias Nießen who reported and created the security patch.

Path traversal through path stored in Uint8Array (High) - (CVE-2023-39332)

Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through non-Buffer Uint8Array objects.

This is distinct from CVE-2023-32004 (report 2038134), which only referred to Buffer objects. However, the vulnerability follows the same pattern using Uint8Array instead of Buffer.

Impacts:

  • This vulnerability affects all users using the experimental permission model in Node.js 20.x.

Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js.

Thanks to Tobias Nießen who reported and created the security patch.

Integrity checks according to policies can be circumvented (Medium) - (CVE-2023-38552)

When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to node's policy implementation, thus effectively disabling the integrity check.

Impacts:

  • This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.

Please note that at the time this CVE is issued, the policy mechanism is an experimental feature of Node.js.

Thanks to Tobias Nießen who reported and created the security patch.

Code injection via WebAssembly export names (Low) - (CVE-2023-39333)

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.

Impacts:

  • This vulnerability affects users of the --experimental-wasm-modules command line option in all active release lines 18.x and 20.x.

Thanks to dittyroma for reporting the issue and to Tobias Nießen for fixing it.

Downloads and release details


Summary

The Node.js project will release new versions of the 18.x and 20.x releases lines on or shortly after, Friday October 13 2023 in order to address:

  • 2 high severity issues.
  • 1 medium severity issue.
  • 1 low severity issue.
  • undici October security updates
  • nghttp2 October security updates

Impact

All the active release lines are affected by undici and nghttp2 security patches, which are rated as high severity issues.

In addition, the 20.x release line of Node.js is vulnerable to 2 high severity issues, 1 medium severity issue, and 1 low severity issue.

In addition, the 18.x release line of Node.js is vulnerable to 1 medium severity issue, and 1 low severity issue.

Release timing

Releases will be available on, or shortly after, Friday October 13 2023.

Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/security/. Please follow the process outlined in https://github.com/nodejs/node/security/policy if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.