In association with heise online

08 May 2012, 10:43

Node.js update fixes information disclosure vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Node.js logo The Node.js developers are advising all users to upgrade to the latest stable release of their JavaScript-based, event-driven, application framework, as soon as possible. Version 0.6.17 of Node.js closes a security hole in Node's HTTP implementation that could be exploited by a remote attacker to access private information. This could be done by appending the contents of the HTTP parser's buffer to spoof a request header to make it appear to come from the attacker; echoing back the contents of such a request is usually safe, but in this case could expose information about other requests.

All versions of the 0.5.x and 0.6.x branches up to and including 0.6.16 are affected; versions 0.7.0 to 0.7.7 of the 0.7.x unstable development branch are also vulnerable. Upgrading to 0.6.17 or 0.7.8 fixes the problem. Alternatively, those who cannot or choose not to upgrade can apply a fix. The developers note that the 0.6.17 update also fixes some other important bugs such as a file descriptor leak in sync functions.

Further information about this update can be found in the announcement blog post and in the change log. Node.js 0.6.17 is available to download for Windows, Mac OS X or as source from the project's web site; documentation is provided. Source code for Node.js is published under an MIT licence.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit