Input validation error in Node.js

1) Input validation error

EUVDB-ID: #VU42456

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C]

CVE-ID: CVE-2013-4450

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Node.js: 0.8.0 - 0.10.20

CPE2.3

• cpe:2.3:a:node_js_foundation:nodejs:0.8.25:*:*:*:*:*:*:*
• cpe:2.3:a:node_js_foundation:nodejs:0.10.20:*:*:*:*:*:*:*

External links

http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/
http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/
http://lists.opensuse.org/opensuse-updates/2013-12/msg00051.html
http://rhn.redhat.com/errata/RHSA-2013-1842.html
http://www.openwall.com/lists/oss-security/2013/10/20/1
http://www.securityfocus.com/bid/63229
http://github.com/joyent/node/issues/6214
http://github.com/rapid7/metasploit-framework/pull/2548
http://groups.google.com/forum/#!topic/nodejs/NEbweYB0ei0
http://kb.juniper.net/JSA10783

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.