On January 19, 2024, the Federal Office for Security in Information Technology (BSI) published an updated security advisory detailing multiple vulnerabilities in Node.js versions 10, 12, 14, and 16. These flaws allow for bypassing TLS certificate verification, accessing internal networks, and achieving remote code execution.
The vulnerability affects Node.js deployments on Linux, UNIX, and Windows operating systems. Impacted products include Debian Linux, Red Hat Enterprise Linux, Fedora Linux, SUSE Linux, Oracle Linux, IBM Business Automation Workflow, Jenkins, IBM App Connect Enterprise, and other systems running vulnerable Node.js versions.
Organizations using Node.js are urged to immediately patch, upgrade, or isolate vulnerable systems. The latest remediation guidance can be found in the IBM Security Bulletin 7108824, updated on January 18, 2024. Administrators should prioritize patching production systems and thoroughly test updates before deployment.
Analyzing the Vulnerability
The Common Vulnerability Scoring System (CVSS) provides a standard way to evaluate and prioritize vulnerabilities based on multiple factors. Using CVSS, organizations can determine the severity of a flaw and properly allocate resources toward remediation.
This Node.js vulnerability has received a Base Score of 9.8 out of 10 on the CVSS v3.1 scale. This means vulnerability is considered “critical” in severity. A score of 9.8 indicates an extremely easy attack that requires little to no user interaction, low complexity, and can be exploited anonymously with no special privileges.