Cybersecurity specialists reported the detection of at least two vulnerabilities residing in Node.js, the open-source, cross-platform, back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside a web browser. According to the report, successful exploitation of these flaws would allow malicious actors to deploy denial of service (DoS) attacks.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-27290: SSRI5.2.2-8.0.0 (fixed in 8.0.1) processes SRIs using a regular expression vulnerable to DoS attacks. Malicious SRIs could take an extremely long time to process, leading to the DoS condition. The report mentions that this problem only affects consumers using the strict option.

The vulnerability received a CVSS score of 6.5/10.

CVE-2021-22918: A boundary condition in the uv__idna_toascii() function in libuv, used to convert strings to ASCII, allows remote threat actors to force the application and resolve a specially crafted hostname, trigger an out-of-bounds read error and gain access to sensitive information or perform DoS attacks.

Both security flaws reside in the following Node.js versions: 12.0.0, 12.1.0, 12.2.0, 12.3.0, 12.3.1, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0, 12.8.1, 12.9.0, 12.9.1, 12.10.0, 12.11.0, 12.11.1, 12.12.0, 12.13.0, 12.13.1, 12.14.0, 12.14.1, 12.15.0, 12.16.0, 12.16.1, 12.16.2, 12.16.3, 12.17.0, 12.18.0, 12.18.1, 12.18.2, 12.18.3, 12.18.4, 12.19.0, 12.19.1, 12.20.0, 12.20.1, 12.20.2, 12.21.0, 12.22.0, 12.22.1, 13.0.0, 13.0.1, 13.1.0, 13.2.0, 13.3.0, 13.4.0, 13.5.0, 13.6.0, 13.7.0, 13.8.0, 13.9.0, 13.10.0, 13.10.1, 13.11.0, 13.12.0, 13.13.0, 13.14.0, 14.0.0, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.5.0, 14.6.0, 14.7.0, 14.8.0, 14.9.0, 14.10.0, 14.10.1, 14.11.0, 14.12.0, 14.13.0, 14.13.1, 14.14.0, 14.15.0, 14.15.1, 14.15.2, 14.15.3, 14.15.4, 14.15.5, 14.16.0, 14.16.1, 14.17.0, 14.17.1, 16.0.0, 16.1.0, 16.2.0, 16.3.0 6 & 16.4.0.

While the flaws can be exploited by unauthenticated remote threat actors, no exploit attempts have been detected in real scenarios or the existence of any malware variant associated with the attack. The security patches are already available, so cPanel recommends users of affected implementations to update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Patch these 2 new vulnerabilities in your Node.js applications appeared first on Information Security Newspaper | Hacking News.

You May Also Like

Anyone can bypass the Google and AWS Web Application Firewall (WAF) with an 8 KB POST request

Most web applications today must be protected against multiple hacking variants, such…

Critical Information disclosure, Incomplete cleanup and Race condition vulnerabilities in Citrix Hypervisor. Download hotfixes.

Citrix Hypervisor is an industry leading platform for cost-effective desktop, server, and…

Don’t buy this Fisher Price phone for kids; anyone can use its Bluetooth to spy on your family

Cybersecurity specialists report the appearance of a new toy with Bluetooth capabilities…

Unpatched zero-day argument injection vulnerability in the open source text editor Etherpad. Don’t open any unknown file

Cybersecurity specialists reported the detection of at least two vulnerabilities in Etherpad,…