Weaknesses in Node.js and libuv

by

Available corrective releases of the server-side JavaScript platform Node.js 21.6.2, 20.11.1, 18.19.1in which it is corrected 8 vulnerabilitiesof which 4 are assigned a high level of danger:

  • CVE-2024-21892 – the ability for an unprivileged user to substitute code that inherits the extended privileges with which the workflow is executed. The vulnerability is caused by an error in the implementation of an exception that allows a process with elevated privileges to process environment variables set by an unprivileged user. The exception should have been granted only for the CAP_NET_BIND_SERVICE capability, but due to a bug it applied to some other capabilities as well.
  • CVE-2024-22019 – denial of service due to exhaustion of available resources (CPU load and bandwidth consumption) when the built-in HTTP server processes specially designed chunked requests, leading to reading an unlimited number of bytes in one connection.
  • CVE-2024-21896 – going beyond the boundaries of the base directory in file paths. The vulnerability allows you to bypass normalization of file paths using path.resolve() in case of passing the path using the Buffer class. To obtain such a path after verification, the Buffer.from() method is called, but the application may use a call to Buffer.prototype.utf8Write, which leads to the content being replaced at the stage after path.resolve() is executed and creating a vulnerability.
  • CVE-2024-22017 – the setuid() call did not reset all privileges. In particular, setuid() does not affect io_uring operations used in libuv if they were initialized before setuid() was called.
  • CVE-2023-46809 – a vulnerability in the privateDecrypt() API that allows the Marvin attack to be used to decrypt RSA based on the timing of operations.
  • CVE-2024-21891 – the ability to bypass the access rights model when using custom file path normalization handlers.
  • CVE-2024-21890 – incorrect processing of masks in the “–allow-fs-read” and “–allow-fs-write” parameters. For example, “–allow-fs-read=/home/node/.ssh/*.pub” will allow access to all contents of “.ssh/”, and not just files with the extension “.pub”, since the mask “*” is treated as the last element of the path.
  • CVE-2024-22025 – denial of service due to resource consumption when decoding compressed data in Brotli format received through a fetch() call.

Additionally, we can note the formation of the library release
libuv 1.48.0, used in Node.js for connection multiplexing and asynchronous I/O processing. In addition to Node.js, the library is also used by DNS servers BIND 9 And Knot DNSHTTP server H2OLua framework Luvitvirtual machine MoarVMlanguage Julia and Python framework uvloop. The new version has eliminated vulnerability (CVE-2024-24806), which appears in projects using libuv and allows the attack to be carried out SSRF (Server-side request forgery) to gain access to the internal API. The vulnerability arose due to the truncating of the host name by the uv_getaddrinfo() function to 256 characters at the stage before resolving the domain through the getaddrinfo() function, which can lead to the determination of the wrong IP address and bypassing checks. For example, services like MySpace that create subdomains like “username.example.com” can be attacked by specifying a long username.

Advertisement

An update has also been released for the HTTP client used in Node.js undici 5.28.3in which it is eliminated vulnerability (CVE-2024-24758) caused by not clearing the Proxy-Authorization HTTP header when redirecting requests.

Thanks for reading:

Advertisement