Cybersecurity specialists reported the detection of at least two vulnerabilities residing in Node.js, the open-source, cross-platform, back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside a web browser. According to the report, successful exploitation of these flaws would allow malicious actors to deploy denial of service (DoS) attacks.
Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-27290: SSRI5.2.2-8.0.0 (fixed in 8.0.1) processes SRIs using a regular expression vulnerable to DoS attacks. Malicious SRIs could take an extremely long time to process, leading to the DoS condition. The report mentions that this problem only affects consumers using the strict option.
The vulnerability received a CVSS score of 6.5/10.
CVE-2021-22918: A boundary condition in the uv__idna_toascii() function in libuv, used to convert strings to ASCII, allows remote threat actors to force the application and resolve a specially crafted hostname, trigger an out-of-bounds read error and gain access to sensitive information or perform DoS attacks.
Both security flaws reside in the following Node.js versions: 12.0.0, 12.1.0, 12.2.0, 12.3.0, 12.3.1, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0, 12.8.1, 12.9.0, 12.9.1, 12.10.0, 12.11.0, 12.11.1, 12.12.0, 12.13.0, 12.13.1, 12.14.0, 12.14.1, 12.15.0, 12.16.0, 12.16.1, 12.16.2, 12.16.3, 12.17.0, 12.18.0, 12.18.1, 12.18.2, 12.18.3, 12.18.4, 12.19.0, 12.19.1, 12.20.0, 12.20.1, 12.20.2, 12.21.0, 12.22.0, 12.22.1, 13.0.0, 13.0.1, 13.1.0, 13.2.0, 13.3.0, 13.4.0, 13.5.0, 13.6.0, 13.7.0, 13.8.0, 13.9.0, 13.10.0, 13.10.1, 13.11.0, 13.12.0, 13.13.0, 13.14.0, 14.0.0, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.5.0, 14.6.0, 14.7.0, 14.8.0, 14.9.0, 14.10.0, 14.10.1, 14.11.0, 14.12.0, 14.13.0, 14.13.1, 14.14.0, 14.15.0, 14.15.1, 14.15.2, 14.15.3, 14.15.4, 14.15.5, 14.16.0, 14.16.1, 14.17.0, 14.17.1, 16.0.0, 16.1.0, 16.2.0, 16.3.0 6 & 16.4.0.
While the flaws can be exploited by unauthenticated remote threat actors, no exploit attempts have been detected in real scenarios or the existence of any malware variant associated with the attack. The security patches are already available, so cPanel recommends users of affected implementations to update as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
