<p>Upgrade <code>node</code> to version 6.15.0, 8.14.0, 10.14.0, 11.3.0 or higher.</p>

Hostname Spoofing Affecting node package, versions [6.0.0, 6.15.0) [8.0.0, 8.14.0) [10.0.0, 10.14.0) [11.0.0, 11.3.0)

Snyk CVSS

Attack Complexity Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-UPSTREAM-NODE-73602
published 24 Jan 2019
disclosed 28 Nov 2018
credit Martin Bajanik

Report a new vulnerability Found a mistake?

Introduced: 28 Nov 2018

CWE-115 Open this link in a new tab

How to fix?

Upgrade node to version 6.15.0, 8.14.0, 10.14.0, 11.3.0 or higher.

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Hostname Spoofing. If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

References

Nodejs Security Advisory