Overview
Node is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in server-side applications.
An OS Command Injection vulnerability has been identified in Node. The issue stems from an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. This weakness allows attackers to execute arbitrary commands on the server.
This vulnerability affects specific versions of the package and can result in unauthorized access. Details on affected versions and reproduction steps are provided below.
Details
Module Info
Affected packages: Node
Affected versions: 4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
GitHub repository: https://github.com/nodejs/node
Published packages: https://github.com/nodejs/node/releases
Package manager: npm
Fixed in: Node.js NES version 12
Vulnerability Info
In a Node.js server context, if an attacker sends a specially crafted request, the system may execute arbitrary commands due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. This behavior can be exploited by attackers to gain unauthorized access to the server.
This vulnerability is a result of flawed logic, and may allow attackers to execute arbitrary commands on the server.
- https://www.cve.org/CVERecord?id=CVE-2022-32212
- https://hackerone.com/reports/1632921
Credits
- Zeyu Zhang
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation for upgrade instructions.
