サイバーニュース.jp

世界のサイバーなニュースを配信

Node.js Releases Urgent Patches for Multiple Vulnerabilities Exposing Systems to DoS and Crashes

カテゴリ:

Node.js Issues Critical Security Update

The Node.js project has released a critical security update addressing multiple vulnerabilities in its Long-Term Support (LTS) branch, version 20.20.2 ‘Iron’. This urgent patch aims to protect systems from Denial of Service (DoS) attacks and crashes.

High-Severity TLS Crash Vulnerability

The most severe vulnerability patched is CVE-2026-21637, a high-severity flaw in Node.js TLS error handling. This issue leaves SNICallback invocations unprotected against synchronous exceptions, potentially leading to an uncaught exception and immediate process termination.

HTTP/2 and V8 Denial-of-Service Risks

The update also addresses CVE-2026-21714, a medium-severity HTTP/2 flow control error that can be exploited to trigger memory leaks. Additionally, developers have patched CVE-2026-21717, which involves the V8 engine’s internal string hashing mechanism and allows attackers to degrade process performance through manipulated JSON.parse() inputs.

Cryptographic and Permission Model Flaws

The update resolves several other issues including CVE-2026-21713, a medium-severity cryptographic timing oracle in Web Cryptography HMAC verification. This flaw was resolved by implementing an existing timing-safe primitive.

Low-Security Permission Model Bypasses

The update also closes two low-severity permission model bypasses (CVE-2026-21715 and CVE-2026-21716), which allowed restricted code to disclose file existence and resolve symlink paths outside permitted directories.

Vulnerability Summary

  • CVE-2026-21637: High severity, TLS / SNICallback Remote process crash
  • CVE-2026-21717: Medium severity, V8 / JSON parsing HashDoS / CPU exhaustion
  • CVE-2026-21713: Medium severity, Web Crypto / HMAC Timing oracle / MAC forgery
  • CVE-2026-21714: Medium severity, HTTP/2 / nghttp2 Memory leak / DoS
  • CVE-2026-21710: Medium severity, HTTP headers Prototype pollution
  • CVE-2026-21716: Low severity, Permission Model (fs/promises) Filesystem path disclosure
  • CVE-2026-21715: Low severity, Permission Model (realpath) Filesystem path disclosure

Immediate Action Required

System administrators and developers must upgrade their environments immediately to mitigate these risks. Public-facing TLS servers should prioritize this update due to the critical nature of CVE-2026-21637.

Patched Releases Available

The patched releases are available for v20.20.2, v22.22.2, v24.14.1, and v25.8.2 across all major operating systems through official Node.js distribution channels.

元記事: https://gbhackers.com/node-js-releases-urgent-patches-for-multiple-vulnerabilities/

投稿をさらに読み込む