SB2021070819 - Multiple vulnerabilities in Node.js

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Incorrect Regular Expression (CVE-ID: CVE-2021-27290)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect processing of SRIs. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.

2) Out-of-bounds read (CVE-ID: CVE-2021-22918)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in uv__idna_toascii() function in libuv, which is used to convert strings to ASCII. A remote attacker can force the application to resolve a specially crafted hostname, trigger an out-of-bounds read error and gain access to sensitive information or perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
• https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
• https://npmjs.com
• https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/