Wednesday, April 3, 2024 Security Releases

The Node.js Project

Security releases available

Updates are now available for the v18.x, v20.x and 21.x Node.js release lines for the following issues.

This security release includes the following dependency updates to address public vulnerabilities:

  • llhttp version 9.2.1 on 21.x, 20.x, and 18.x
  • undici version 6.11.1 on 21.x
  • undici version 5.28.4 on 18.x and 20.x

Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash (CVE-2024-27983) - (High)

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Impacts:

  • This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x.

Thank you, to bart for reporting this vulnerability and Anna Henningsen for fixing it.

HTTP Request Smuggling via Content Length Obfuscation - (CVE-2024-27982) - (Medium)

The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Impacts:

  • This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x.

Thank you, to bpingel for reporting this vulnerability and Paolo Insogna for fixing it.


Summary

The Node.js project will release new versions of the 18.x, 20.x, 21.x releases lines on or shortly after, Wednesday, April 3, 2024 in order to address:

  • 1 medium severity issue.
  • 1 high severity issue.

Impact

The 18.x release line of Node.js is vulnerable to 1 medium severity issue, 1 high severity issue. The 20.x release line of Node.js is vulnerable to 1 medium severity issue, 1 high severity issue. The 21.x release line of Node.js is vulnerable to 1 medium severity issue, 1 high severity issue.

Release timing

Releases will be available on, or shortly after, Wednesday, April 3, 2024.

Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.