WARNING: OS COMMAND INJECTION VULNERABILITY IN NODE.JS
Vector v3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Node.JS has released a security update for Node.JS. This update resolves 3 vulnerabilities, including an OS Command Injection Vulnerability.
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
An OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
Update the installation to one of the latest versions:
- Version 14.21.1
- Version 16.18.1
- Version 18.12.1
- Version 19.0.1