Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in web applications and server-side development.
An Cryptographic Weakness vulnerability has been identified in Node.js. The issue stems from the generateKeys() API function returning only missing or outdated keys, which can lead to security issues in applications that rely on this API.
This vulnerability affects specific versions of the package and can result in unauthorized access or compromised application-level security. Details on affected versions and reproduction steps are provided below.
Details
Module Info
Affected packages: Node.js
Affected versions: 4.0 < 16.20.1, 18 < 18.16.1, 20 < 20.3.1
GitHub repository: https://github.com/nodejs/node
Published packages: https://github.com/nodejs/node/releases
Package manager: npm
Fixed in: Node.js NES version 12, 14
Vulnerability Info
The issue stems from the generateKeys() API function not generating a public key after setting a private key.
For instance, in cryptographic operations, if the private key is set without generating the corresponding public key, the system may fail to establish secure connections. This behavior can be exploited by attackers to compromise the security of the application.
This vulnerability is a result of flawed logic in the API implementation, and may allow attackers to exploit the cryptographic operations.
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
- https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
Credits
- Ben Smyth
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation for upgrade instructions.
