A new security update for the Node.js JavaScript framework fixes several vulnerabilities, including a pair of HTTP request smuggling flaws and an updated patch for a DNS rebinding bug that was not fixed completely in a previous release.
The DNS rebinding vulnerability only affects macOS devices and was disclosed originally in July. However, the fix for the vulnerability only addressed part of the issue, so the Node.js maintainers released an updated fix for it/
“The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the http://0.0.0.0 URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving hosts in the .local domain,” the September advisory says.
“An attacker-controlled DNS server can, resolve <Computer Name>.local to any arbitrary IP address, and consequently cause the victim's browser to load arbitrary content at http://0.0.0.0. This allows the attacker to bypass the DNS rebinding protection.”
The bug affects all versions of 18.x, 16.x, and 14.x of Node.js.
One of the HTTP request smuggling bugs (CVE-2022-32215) is also an update to address an incomplete fix. The other (CVE-2022-35256) is a newly discovered bug that involves the way that Node.js handles headers in some cases.
“This vulnerability relates to the handling of header fields immediately preceding a header such as Transfer-Encoding. When the preceding header is not properly terminated with a CLRF - and when the value is empty - node will accept the Transfer-Encoding header (or most other headers such as Content-Length). This malformed request should be rejected by the HTTP server. If it is not rejected, it may be used for HTTP request smuggling,” an analysis by Octavia Johnston of Prelude, which discovered the bug, says.
This flaw also affects all of the 18.x, 16.x, and 14.x releases.
The Node.js updates also include a fix for an issue in the way that the framework sources entropy for key generation.
“Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail,” the advisory says.
Users should upgrade to versions 14.20.1, 16.17.1, or 18.9.1 to protect against these bugs.