Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in web applications and server-side development.
An Improper Access Control vulnerability has been identified in Node.js. The issue stems from the diagnostics_channel utility, which allows event hooking into worker thread creation. This weakness allows attackers to exploit internal workers for malicious usage.
This vulnerability affects specific versions of the package and can result in unauthorized access. Details on affected versions and reproduction steps are provided below.
Details
Module Info
Affected packages: Node.js
Affected versions: 4.0 < 20.18.2, 22 < 22.13.1
GitHub repository: https://github.com/nodejs/node
Published packages: https://github.com/nodejs/node/releases
Package manager: npm
Fixed in: NES for Node.js version v16, v18
Vulnerability Info
The issue stems from improper access control in the diagnostics_channel utility.
For instance, in a scenario where a worker thread is created, if an attacker hooks into this event, they can fetch the internal worker instance and exploit it. This behavior can be exploited by attackers to execute arbitrary code.
This vulnerability is a result of flawed logic, and may allow attackers to escalate privileges.
- https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
- https://owasp.org/Top10/A01_2021-Broken_Access_Control/
Credits
- leodog896
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation for upgrade instructions.