Hostname Spoofing Affecting node package, versions [6.0.0, 6.15.0) [8.0.0, 8.14.0) [10.0.0, 10.14.0) [11.0.0, 11.3.0)
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UPSTREAM-NODE-73602
- published 24 Jan 2019
- disclosed 28 Nov 2018
- credit Martin Bajanik
How to fix?
Upgrade node
to version 6.15.0, 8.14.0, 10.14.0, 11.3.0 or higher.
Overview
node is a JavaScript runtime built on Chrome's V8 JavaScript engine.
Affected versions of this package are vulnerable to Hostname Spoofing. If a Node.js application is using url.parse()
to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.