Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model and is widely used in server-side applications.
An Information Exposure vulnerability has been identified in Node.js. The issue stems from the use of an unpatched version of OpenSSL which allows for a covert timing channel attack. This weakness allows attackers to infer sensitive information through timing discrepancies.
This vulnerability affects specific versions of the package and can result in unauthorized access to sensitive data. Details on affected versions and reproduction steps are provided below.
Details
Module Info
Affected packages: Node.js
Affected versions: 4.0 < 18.19.1, 20 < 20.11.1
GitHub repository: https://github.com/nodejs/node
Published packages: https://github.com/nodejs/node/releases
Package manager: npm
Fixed in: Node.js NES version 12, 14, 16
Vulnerability Info
The issue stems from the use of an unpatched version of OpenSSL that allows for timing attacks.
For instance, in a scenario where PKCS #1 v1.5 padding is allowed during RSA decryption, if specific timing conditions occur, the system may leak sensitive information. This behavior can be exploited by attackers to infer private keys.
This vulnerability is a result of flawed logic in the cryptographic implementation, and may allow attackers to gain unauthorized access to sensitive data.
- https://nodejs.org/en/blog/vulnerability/february-2024-security-releases
- https://hackerone.com/reports/2269177
Credits
- hkario
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation for upgrade instructions.
