Vulnerability identifier: #VU41349
Vulnerability risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Node.js
Server applications /
Web servers
Vendor: Node.js Foundation
Description
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Node.js: 0.8.0 - 0.8.27, 0.10.0 - 0.10.29
External links
http://advisories.mageia.org/MGASA-2014-0516.html
http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
http://secunia.com/advisories/61260
http://www.mandriva.com/security/advisories?name=MDVSA-2015:142
http://www-01.ibm.com/support/docview.wss?uid=swg21684769
http://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.