August 2021 Security Releases
Michael Dawson
(Update 11-Aug-2021) Security releases available
Updates are now available for v16.x, v14.x, and v12.x Node.js release lines for the following issues.
cares upgrade - Improper handling of untypical characters in domain names (High) (CVE-2021-22931)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
You can read more about it in: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22931
Impacts:
- All versions of the 16.x, 14.x, and 12.x releases lines
Thank you to Philipp Jeitner from Fraunhofer SIT for reporting this vulnerability.
Use after free on close http2 on stream canceling (High) (CVE-2021-22940)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.
You can read more about it in: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940
Impacts:
- All versions of the 16.x, 14.x, and 12.x releases lines
Thank you to Eran Levin (exx8) for reporting the original vulnerability and those who helped identify the remaining issues.
Incomplete validation of rejectUnauthorized parameter (Low) (CVE-2021-22939)
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
You can read more about it in: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22939
Impacts:
- All versions of the 16.x, 14.x, and 12.x releases lines
Thank you to Tim Perry, from HTTP Toolkit for reporting this vulnerability.
Downloads and release details
Summary
The Node.js project will release new versions of all supported release lines on or shortly after Wednesday August 11th, 2021 in order to address:
- Two high severity issues and one low severity issue.
Impact
The 16.x release line of Node.js is vulnerable to two high severity issues and one low severity issue.
The 14.x release line of Node.js is vulnerable to two high severity issues and one low severity issue.
The 12.x release line of Node.js is vulnerable to two high severity issues and one low severity issue.
Release timing
Releases will be available at, or shortly after, Wednesday, August 11th, 2021.
Contact and future updates
The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security. Please follow the process outlined in https://github.com/nodejs/node/security/policy if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.