Node.js is vulnerable to HTTP/2 rapid reset zero-day vulnerability CVE-2023-44487

Node.js CVE-2023-44487

Node.js is a popular JavaScript runtime environment that is used to build scalable and performant web applications and servers. However, like any software, Node.js is not without its security vulnerabilities.

Recently, several new security vulnerabilities were discovered in Node.js. These vulnerabilities can be exploited by attackers to trigger denial of service attacks, bypass security restrictions, and disclose sensitive information.

1. Cookie Leakage in undici-fetch (CVE-2023-45143 – High Severity)

In undici, Cookie headers were not always cleared during cross-origin redirects. This discrepancy, stemming from undici’s more liberal handling of headers compared to the standard spec, could inadvertently expose cookies to third-party sites or even malicious entities controlling the redirection target. This could potentially leak sensitive cookie data to unintended recipients.

2. The Peril of Rapid Reset in HTTP/2 (CVE-2023-44487 – High Severity)

Dubbed the “Rapid Reset”, this vulnerability can cause a denial of service when streams are quickly created and canceled. Alarmingly, this vulnerability is already being exploited in the wild. All HTTP/2 server users in active release lines 18.x and 20.x are susceptible.

3. Path Traversal Vulnerabilities (CVE-2023-39331 & CVE-2023-39332 – High Severity)

Two separate but related vulnerabilities have come to light in the experimental permission model of Node.js 20.x. One arises due to insufficient protection against application overwriting built-in utility functions, and the other allows for path traversal via the Uint8Array class. All users utilizing the experimental permission model in Node.js 20.x are at risk.

4. Policy Integrity Compromised (CVE-2023-38552 – Medium Severity)

In Node.js’s policy feature, there’s a loophole where an application can intercept and return a forged checksum, bypassing the crucial integrity check process. All users using the experimental policy mechanism in release lines 18.x and 20.x may be affected.

5. Code Injection via WebAssembly (CVE-2023-39333 – Low Severity)

In a unique vulnerability, malicious export names in an imported WebAssembly module can inject JavaScript code. This code can potentially access data and functions beyond the module’s scope. Users of the –experimental-wasm-modules command line option in lines 18.x and 20.x are vulnerable.

With the identification of these vulnerabilities, updates are now available for the v18.x and v20.x Node.js release lines. The best way to protect yourself from these vulnerabilities is to upgrade to the latest version of Node.js as soon as possible.