DNS Rebinding

Affecting node package, versions [15.0.0, 15.10.0) || [14.0.0, 14.16.0) || [12.0.0, 12.21.0) || [10.0.0, 10.24.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to DNS Rebinding. A Denial of Service can occur when the whitelist in /etc/hosts includes localhost6. If an attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the localhost6 domain.

Remediation

Upgrade node to version 15.10.0, 14.16.0, 12.21.0, 10.24.0 or higher.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Credit
Vít Šesták
CVE
CVE-2021-22884
CWE
CWE-350
Snyk ID
SNYK-UPSTREAM-NODE-1078518
Published
23 Feb, 2021