Cybersecurity specialists reported the detection of at least two vulnerabilities residing in Node.js, the open-source, cross-platform, back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside a web browser. According to the report, successful exploitation of these flaws would allow malicious actors to deploy denial of service (DoS) attacks.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-27290: SSRI5.2.2-8.0.0 (fixed in 8.0.1) processes SRIs using a regular expression vulnerable to DoS attacks. Malicious SRIs could take an extremely long time to process, leading to the DoS condition. The report mentions that this problem only affects consumers using the strict option.

The vulnerability received a CVSS score of 6.5/10.

CVE-2021-22918: A boundary condition in the uv__idna_toascii() function in libuv, used to convert strings to ASCII, allows remote threat actors to force the application and resolve a specially crafted hostname, trigger an out-of-bounds read error and gain access to sensitive information or perform DoS attacks.

Both security flaws reside in the following Node.js versions: 12.0.0, 12.1.0, 12.2.0, 12.3.0, 12.3.1, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0, 12.8.1, 12.9.0, 12.9.1, 12.10.0, 12.11.0, 12.11.1, 12.12.0, 12.13.0, 12.13.1, 12.14.0, 12.14.1, 12.15.0, 12.16.0, 12.16.1, 12.16.2, 12.16.3, 12.17.0, 12.18.0, 12.18.1, 12.18.2, 12.18.3, 12.18.4, 12.19.0, 12.19.1, 12.20.0, 12.20.1, 12.20.2, 12.21.0, 12.22.0, 12.22.1, 13.0.0, 13.0.1, 13.1.0, 13.2.0, 13.3.0, 13.4.0, 13.5.0, 13.6.0, 13.7.0, 13.8.0, 13.9.0, 13.10.0, 13.10.1, 13.11.0, 13.12.0, 13.13.0, 13.14.0, 14.0.0, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.5.0, 14.6.0, 14.7.0, 14.8.0, 14.9.0, 14.10.0, 14.10.1, 14.11.0, 14.12.0, 14.13.0, 14.13.1, 14.14.0, 14.15.0, 14.15.1, 14.15.2, 14.15.3, 14.15.4, 14.15.5, 14.16.0, 14.16.1, 14.17.0, 14.17.1, 16.0.0, 16.1.0, 16.2.0, 16.3.0 6 & 16.4.0.

While the flaws can be exploited by unauthenticated remote threat actors, no exploit attempts have been detected in real scenarios or the existence of any malware variant associated with the attack. The security patches are already available, so cPanel recommends users of affected implementations to update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Patch these 2 new vulnerabilities in your Node.js applications appeared first on Information Security Newspaper | Hacking News.

You May Also Like

Vulnerabilities in Mastodon, allow to download or delete all the files on the server, including those exchanged via Direct Messages and change everyone’s profile image

Mastodon has been under the limelight as a result of the exodus…

Two important vulnerabilities ( CVSSv3 score > 7) in VMware ESXi, vCenter Server & Cloud Foundation

The leader in virtualization and cloud computing technologies, VMware, has released a…

Two critical code vulnerabilities in a core component of the PHP supply chain repository

SonarSource cybersecurity specialists report the detection of various vulnerabilities in PEAR, a…

CVE-2021-41379: Zero-day vulnerability with no patch in Windows 11, Windows 10 and Windows Server 2022

Cybersecurity specialists report the publication of an exploit for a critical zero-day…