JavaScript News

CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

November 26th, 2015

This announcement is for: CVE-2015-8027: a high-impact denial of service vulnerability CVE-2015-6764: a low-impact V8 out-of-bounds access vulnerability CVE-2015-8027 Denial of Service Vulnerability Description and CVSS Score A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue…

V8 Memory Corruption and Stack Overflow (fixed in Node v0.8.28 and v0.10.30)

July 31st, 2014

A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work…

OpenSSL and Breaking UTF-8 Change (fixed in Node v0.8.27 and v0.10.29)

June 16th, 2014

Today we are releasing new versions of Node: node-v0.8.27 node-v0.10.29 First and foremost these releases address the current OpenSSL vulnerability CVE-2014-0224, for both 0.8 and 0.10 we’ve upgraded the version of the bundled OpenSSL to their fixed versions v1.0.0m and v1.0.1h respectively. Additionally these releases address the fact that V8 UTF-8 encoding would allow unmatched…

jQuery’s Content Delivery Network: You Got Served!

January 14th, 2014

In 2013, MaxCDN joined the jQuery Foundation and stepped up to provide Content Delivery Network (CDN) services for the jQuery CDN at Files can now be requested through both HTTP and HTTPS (SSL) protocols, either to download to your own servers or to use directly on production web sites. MaxCDN’s infrastructure can reliably deliver…

DoS Vulnerability (fixed in Node v0.8.26 and v0.10.21)

October 22nd, 2013

Node.js is vulnerable to a denial of service attack when a client sends many pipelined HTTP requests on a single connection, and the client does not read the responses from the connection. We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP servers in production please update as soon as possible. v0.10.21…

HTTP Server Security Vulnerability: Please upgrade to 0.6.17

May 7th, 2012

tl;dr A carefully crafted attack request can cause the contents of the HTTP parser’s buffer to be appended to the attacking request’s header, making it appear to come from the attacker. Since it is generally safe to echo back contents of a request, this can allow an attacker to get an otherwise correctly designed server…