The DNS rebinding vulnerability only affects macOS devices and was disclosed originally in July. However, the fix for the vulnerability only addressed part of the issue, so the Node.js maintainers released an updated fix for it/
“The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the http://0.0.0.0 URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving hosts in the .local domain,” the September advisory says.
“An attacker-controlled DNS server can, resolve
The bug affects all versions of 18.x, 16.x, and 14.x of Node.js.
One of the HTTP request smuggling bugs (CVE-2022-32215) is also an update to address an incomplete fix. The other (CVE-2022-35256) is a newly discovered bug that involves the way that Node.js handles headers in some cases.
“This vulnerability relates to the handling of header fields immediately preceding a header such as Transfer-Encoding. When the preceding header is not properly terminated with a CLRF - and when the value is empty - node will accept the Transfer-Encoding header (or most other headers such as Content-Length). This malformed request should be rejected by the HTTP server. If it is not rejected, it may be used for HTTP request smuggling,” an analysis by Octavia Johnston of Prelude, which discovered the bug, says.
This flaw also affects all of the 18.x, 16.x, and 14.x releases.
The Node.js updates also include a fix for an issue in the way that the framework sources entropy for key generation.
“Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail,” the advisory says.
Users should upgrade to versions 14.20.1, 16.17.1, or 18.9.1 to protect against these bugs.