Node.js Update Fixes a Serious Remote Denial-of-Service Flaw – InApps Technology 2022

Main Contents:

Node.js Update Fixes a Serious Remote Denial-of-Service Flaw – InApps Technology is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn Node.js Update Fixes a Serious Remote Denial-of-Service Flaw – InApps Technology in today’s post !

Read more about Node.js Update Fixes a Serious Remote Denial-of-Service Flaw – InApps Technology at Wikipedia

You can find content about Node.js Update Fixes a Serious Remote Denial-of-Service Flaw – InApps Technology from the Wikipedia website

The Node.js maintainers have fixed a security issue in zlib compression that could be exploited by attackers to remotely crash the runtime.

The vulnerability is tracked as CVE-2017-14919 and is caused by a change in the zlib v1.2.9 library that changed the behavior of the windowBits parameter. More specifically, the library previously allowed values between 8 and 15 for this parameter, but now requires the minimum value to be 9.

Zlib is a compression library that implements the gzip and deflate/inflate algorithms. It’s used to compress data streams and HTTP requests and responses, saving bandwidth. The windowBits parameter is used to define how much of a message the library will store in memory while the message is being compressed.

A larger window can result in better compression because the algorithm has more opportunities to find repeated bits of text. However, it also results in higher memory usage for the process.

Node.js’ zlib module allows clients to control the windowBits and some are configured to use the minimum value, which used to be 8 and is no longer supported. When encountering such requests, Node.js versions with zlib 1.2.9 will crash or throw an exception, resulting in a denial-of-service condition.

“This problem (Node.js crashing or throwing an exception) could be remotely exploited using some of the existing WebSocket clients that may request a value of 8 for windowBits in certain cases or with a custom built WebSocket client,” the Node.js developers said in an advisory. “There may also exist other vectors through which a zLib operation would be initiated by a remote request with a window size that results in a value of windowBits of 8.”

For some versions the Node.js runtime cannot recover from the crash by itself, so the impact is pretty serious.

Users are advised to upgrade to Node v8.8.0, v6.11.15 (LTS “Boron”) or v4.8.5 (LTS “Argon”). These versions automatically modify any requests for a windowBits size of 8 to use a size of 9 instead.

The latest releases also include many other bug fixes. The notable changes for the “current” 8.8.0 branch include: exposing the Elliptic-curve Diffie-Hellman (ECDH) class for cryptographic key agreement, exposing http2 by default without the need for a flag, adding a new environment variable called NODE_NO_HTTP2 and adding resolve and instantiate loader pipeline hooks to the ESM lifecycle.

Feature image: Pixabay, zLib.

Source: InApps.net

Rate this post

Phu Nguyen

As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.