CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
71.6%
The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well as the zlib vulnerability (CVE-2022-37434) patched on the zlib Security release of Oct 13 2022, does not affect Node.js.
Our assessment of the security advisory is:
NID_undef
may lead to NULL encryption (CVE-2022-3358)Node.js doesn’t call EVP_CIPHER_meth_new(NID_undef, ...)
. Therefore, Node.js is not affected by this vulnerability.
Our assessment of the CVE-2022-37434 is:
Node.js doesn’t call inflateGetHeader
. Therefore, Node.js is not affected by this vulnerability.
Further information, see: nodejs-dependency-vuln-assessments#50.
The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies.
This initiative aims to reduce the gap between a dependency security release and a Node.js assessment. The repository is available at nodejs/nodejs-dependency-vuln-assessments, and the assessments are made through the issues.
Ensure to watch the repository if you are interested in security patches.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
71.6%