May 8, H Security – (International) Node.js update fixes information disclosure vulnerability. The Node.js developers are advising all users to upgrade to the latest stable release of their JavaScript-based, event-driven, application framework as soon as possible. Version 0.6.17 of Node.js closes a security hole in Node’s HTTP implementation that could be exploited by a remote attacker to access private information. This could be done by appending the contents of the HTTP parser’s buffer to spoof a request header to make it appear to come from the attacker; echoing back the contents of such a request is usually safe, but in this case could expose information about other requests. All versions of the 0.5.x and 0.6.x branches up to and including 0.6.16 are affected; versions 0.7.0 to 0.7.7 of the 0.7.x unstable development branch are also vulnerable. Upgrading to 0.6.17 or 0.7.8 fixes the problem. Alternatively, those who cannot or choose not to upgrade can apply a fix. The developers note that the 0.6.17 update also fixes some other important bugs such as a file descriptor leak in sync functions.

Ali Loney is a Senior UX Designer at Walmart Labs. She is based in Canada and was the former Graphic Designer at Sonatype.
Explore All Posts by Ali LoneyExplore More Software Supply Chain Insights
Get the latest insights and research from the Sonatype team in the 10th Annual Software Supply Chain Report.