Security Advisory Description
The 'path'
module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, splitPathRe
, used within the 'path'
module for the various path parsing functions, including path.dirname()
, path.extname()
and path.parse()
was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.
Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour.
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause Buffer.alloc()
to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying encoding
can be passed as a number, this is misinterpreted by Buffer's
internal “fill” method as the start
to a fill operation. This flaw may be abused where Buffer.alloc()
arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.
Impact
There is no impact; F5 products are not affected by this vulnerability.