Arch Linux Security Advisory ASA-202101-16 ========================================== Severity: High Date : 2021-01-12 CVE-ID : CVE-2020-8265 CVE-2020-8287 Package : nodejs Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-1400 Summary ======= The package nodejs before version 15.5.1-1 is vulnerable to multiple issues including arbitrary code execution and url request injection. Resolution ========== Upgrade to 15.5.1-1. # pacman -Syu "nodejs>=15.5.1-1" The problems have been fixed upstream in version 15.5.1. Workaround ========== None. Description =========== - CVE-2020-8265 (arbitrary code execution) The nodejs release lines 15.x, 14.x, 12.x and 10.x are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. The issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1. - CVE-2020-8287 (url request injection) The nodejs release lines 15.x, 14.x, 12.x and 10.x allow two copies of a header field in an HTTP request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. The issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1. Impact ====== A malicious user could achieve data exfiltration through HTTP headers or execute arbitrary code through poor API usage. References ========== https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ https://github.com/nodejs-private/node-private/issues/227 https://hackerone.com/bugs?subject=nodejs&report_id=988103 https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee https://github.com/nodejs/node/commit/4f8772f9b731118628256189b73cd202149bbd97 https://github.com/nodejs/node/commit/5b00de7d67a1372aa342115ad28edd3f78268bb6 https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed https://github.com/nodejs/node/commit/357e2857c8385c303782ced2ac8b568df06d4326 https://hackerone.com/bugs?report_id=1002188&subject=nodejs https://github.com/nodejs-private/llhttp-private/pull/3 https://github.com/nodejs/node/commit/e0c9a2285cfe18642d15d5ed9b7122755c6e66e0 https://github.com/nodejs/node/commit/c5dbe831b714b3a98c59ba2406b791fb27016d79 https://github.com/nodejs/node/commit/641f786bb1a1f6eb1ff8750782ed939780f2b31a https://github.com/nodejs/node/commit/7ecac8143f0a91785ed0bd3b4d9aab5d98419b41 https://github.com/nodejs/node/commit/92d430917a63a567bb528100371263c46e50ee4a https://github.com/nodejs/node/commit/4a30ac8c755d0701e773831ce22153b66bb36305 https://github.com/nodejs/node/commit/420244e4d9ca6de2612e7f503f5c87e448fbc14b https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e https://github.com/nodejs/node/commit/aa6b97fb99d7528649fadb4c6a894e078fe4323c https://security.archlinux.org/CVE-2020-8265 https://security.archlinux.org/CVE-2020-8287