FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

node.js -- multiple vulnerabilities

Affected packages
node4 < 4.9.0
node6 < 6.14.0
node8 < 8.11.0
node < 9.10.0

Details

VuXML ID 5a9bbb6e-32d3-11e8-a769-6daaba161086
Discovery 2018-03-21
Entry 2018-03-28
Modified 2018-03-28

Node.js reports:

Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160)

Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.

'path' module regular expression denial of service (CVE-2018-7158)

The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x.

Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159)

The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference.

References

CVE Name CVE-2018-7158
CVE Name CVE-2018-7159
CVE Name CVE-2018-7160
URL https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/