Node.js Apps to be Vulnerable to Redo Attack

Researchers found 25 previously unknown vulnerabilities in popular Node.js modules
21 August 2018   1489

Researchers from the Darmstadt Technical University (Germany) discovered 25 new vulnerabilities in the Node.js. They open web servers and applications for ReDos attacks, leading to denial of service for a few seconds to a minute. This is reported by Bleeping Computer.

At the moment, there are 340 websites that contain at least one of the vulnerabilities.

ReDoS-attacks (Regular Expression Denial of Service) use the shortcomings of code performance when working with regular expressions. An attacker can upload a large and complex piece of text to the server or into the application as input. If the service components are not specifically designed to handle such a variety of data types, it will completely freeze the resource or application for the time it will take to deal with the input array.

Sending few packages will lead to a longer "freezing" of the server.

For such an attack, many programming languages ​​and web services are vulnerable. In the case of JavaScript, the consequences are worse because the language uses a single-threaded execution model, when each request is processed in turn. As a result, ReDoS-attack does not slow down any specific operation, but blocks the entire server.

It has became known about ReDoS-attacks in 2012, but at the time JavaScript, and specifically - Node.js, wasn't widely used in web development, so for more than five years the problem was ignored.

The researchers gave a list of modules in which at least one of the previously unknown vulnerabilities was detected:

Vulnerable modules
Vulnerable modules

They reported the issues to the developers of npm-modules and laid out on the GitHub a proof-of-concept exploit for each of them. Researchers also have created a tool with which it is possible to identify vulnerable sites without conducting a full-fledged attack. Thus, 339 resources were found - 12% of all that are based on Node.js.

Node.js v12.0.0 to be Rolled Out

It has giant list of updates, improvements and changes
24 April 2019   559

The release of Node.js 12.0.0, a platform for executing network applications in JavaScript, is available. Node.js 12.0 refers to branches with a long period of support, but this status will be assigned only in October, after stabilization. Updates for LTS branches are issued for 3 years. Support for the last LTS branch of Node.js 10.0 will last until April 2021, and the year before last LTS-branch 8.0 until January 2020. Support for the intermediate branch Node.js 11.0 will be discontinued in June 2019. The lifetime of the LTS branch 6.0 will end on April 30.

These are some of the large list of updates and new staff:

  • V8 engine was updated to version 7.4 with support for asynchronous stack traces, increasing await performance, parsing JavaScript and calls when the actual and declared number of arguments does not match;
  • TLS 1.3 is now supported in the tls module and TLS 1.0 / 1.1 is shutdown by default;
  • Enhancing protection and checks on the size of allocated memory in the Buffer class;

Get more info at official website.