Node.js v14 Release Notes

2024-10-15, Version 14.21.5 'Fermium' (LTS)

This release includes security and compatibility fixes including resolution for the following vulnerabilities:

• CVE-2023-5678 (OpenSSL) Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.
• CVE-2024-0727 (OpenSSL) Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack.
• Update NPM to v8.19.3.

2024-08-24, Version 14.21.4 'Fermium' (NES)

Includes over 20 dependency security and compatibility fixes including resolution for the following vulnerabilities:

• CVE-2023-32067 (c-ares) c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection.
• CVE-2023-31147 (c-ares) When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available.
• CVE-2023-31130 (c-ares) ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues.
• CVE-2023-31124 (c-ares) When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG.
• CVE-2022-4904 (c-ares) - A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
• CVE-2022-35256 (llhttp) - The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
• CVE-2023-44487 (nghttp2) - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly.
• CVE-2023-35945 (nghttp2) - A memory leak vulnerability in Envoy's HTTP/2 codec, caused by improper cleanup after receiving RST_STREAM followed by GOAWAY frames, can lead to denial of service through memory exhaustion; this issue was patched in Envoy versions 1.26.3, 1.25.8, 1.24.9, and 1.23.11.
• CVE-2021-39135 (npm) - A vulnerability in @npmcli/arborist allowed attackers to exploit symbolic links in the node_modules folder, potentially writing package dependencies to arbitrary locations on the filesystem; this issue was patched in version 2.8.2, included in npm v7.20.7 and above.
• CVE-2021-39134 (npm) - A vulnerability in @npmcli/arborist allowed attackers to overwrite arbitrary files on case-insensitive file systems by exploiting case differences in dependency names, affecting npm v7.20.6 and earlier; it was patched in version 2.8.2 included with npm v7.20.7 and above.
• CVE-2024-0727 (OpenSSL) - A vulnerability in OpenSSL can cause a crash when processing maliciously formatted PKCS12 files, potentially leading to a Denial of Service (DoS) in applications handling untrusted PKCS12 files.
• CVE-2023-5678 (OpenSSL) - A vulnerability in OpenSSL's X9.42 DH key generation and checking functions can cause significant delays when processing excessively long keys or parameters, potentially leading to a Denial of Service (DoS) when dealing with untrusted sources.
• CVE-2023-4807 (OpenSSL) - A bug in OpenSSL's POLY1305 MAC implementation on Windows 64 systems with AVX512-IFMA support may corrupt application state, potentially leading to crashes or Denial of Service (DoS), though the severity is considered low.
• CVE-2023-3817 (OpenSSL) - A vulnerability in OpenSSL's DH parameter checking functions can cause significant delays when processing excessively long DH keys, potentially leading to a Denial of Service (DoS) in applications using untrusted sources.
• CVE-2023-2650 (OpenSSL) - A vulnerability in OpenSSL's OBJ_obj2txt() function can cause significant delays when processing large ASN.1 object identifiers, potentially leading to a Denial of Service (DoS) in certain applications.
• CVE-2023-0466 (OpenSSL) - A flaw in OpenSSL's X509_VERIFY_PARAM_add0_policy() function fails to enable certificate policy checks as documented, allowing certificates with invalid policies to pass verification.
• CVE-2023-0465 (OpenSSL) - A vulnerability in OpenSSL allows a malicious CA to bypass certificate policy checks when non-default verification options are used, potentially leading to security breaches.
• CVE-2023-0464 (OpenSSL) - A vulnerability in OpenSSL's X.509 certificate chain verification could enable a DoS attack through excessive resource usage when policy constraints are processed.
• GHSA-5689-v88g-g6rv (llhttp) - llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding.
• GHSA-q5vx-44v4-gch4 (llhttp) - llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields.
• GHSA-cggh-pq45-6h9x (llhttp) - llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding.