Node.js v16 Release Notes

2024-07-30, Version 16.20.3 'Gallium' (NES)

This release includes over 40 dependency security and compatibility fixes including resolution for the following vulnerabilities:

• CVE-2023-44487 (nghttp2) - Denial of service vulnerability in nghttp2 where resource exhaustion can occur due to improperly handled RST_STREAM frames.
• CVE-2023-35945 (nghttp2)- A vulnerability in nghttp2 where a crafted HTTP/2 frame can trigger a denial of service by crashing the server.
• CVE-2024-0727 (OpenSSL) - An undefined behavior in OpenSSL's cryptographic functions, potentially leading to security vulnerabilities.
• CVE-2023-6129 (OpenSSL) - Memory corruption vulnerability in OpenSSL’s CMS function, leading to potential remote code execution.
• CVE-2023-5678 (OpenSSL) - Flaw in OpenSSL’s X.509 certificate validation that could allow certificate spoofing under specific circumstances.
• CVE-2023-5363 (OpenSSL)- A vulnerability in OpenSSL’s ASN.1 parsing code that could cause a denial of service due to an infinite loop.
• CVE-2023-4807 (OpenSSL)- Buffer overflow vulnerability in OpenSSL's SM2 decryption functions, potentially leading to remote code execution.
• CVE-2023-3817 (OpenSSL) - A timing side-channel attack in OpenSSL's RSA key generation function that could leak sensitive information.
• CVE-2023-2975 (OpenSSL)- Vulnerability in OpenSSL’s PKCS7 parsing that could lead to out-of-bounds reads and potential information disclosure.
• CVE-2023-2650 (OpenSSL) - A flaw in OpenSSL’s X.509 name constraints enforcement that could allow bypassing of name constraints.
• CVE-2023-1255 (OpenSSL) - An integer overflow vulnerability in OpenSSL’s ASN.1 code leading to potential remote code execution.
• CVE-2023-0466 (OpenSSL) - Denial of service vulnerability in OpenSSL’s BN_mod_exp function due to improper handling of zero inputs.
• CVE-2023-0465 (OpenSSL) - A vulnerability in OpenSSL's SM2 decryption implementation that could result in improper error handling and leaks.
• CVE-2023-0464 (OpenSSL) - Memory corruption vulnerability in OpenSSL’s X.509 function leading to potential remote code execution.
• CVE-2022-4203 (OpenSSL) - A vulnerability in OpenSSL’s X.509 certificate chain verification that could result in a bypass of certificate validation.
• CVE-2023-0401 (OpenSSL) - Denial of service vulnerability in OpenSSL’s PKCS7 code caused by improper handling of certain inputs.
• CVE-2023-0286 (OpenSSL) - A flaw in OpenSSL’s certificate verification process allowing potential bypass of security restrictions.
• CVE-2023-0217 (OpenSSL) - A timing attack in OpenSSL’s DSA signature generation could leak sensitive information.
• CVE-2023-0216 (OpenSSL) - Vulnerability in OpenSSL’s DTLS implementation that could result in a denial of service attack.
• CVE-2023-0215 (OpenSSL) - A memory leak vulnerability in OpenSSL’s X.509 certificate parsing could lead to denial of service.
• CVE-2022-4450 (OpenSSL) - Vulnerability in OpenSSL’s CMS and PKCS7 code that could allow a denial of service attack via memory exhaustion.
• CVE-2022-4304 (OpenSSL) - Heap buffer overflow in OpenSSL’s SSL_get1_peer_certificate function could lead to remote code execution.
• CVE-2022-3996 (OpenSSL) - A vulnerability in OpenSSL’s name constraints checking allowing a bypass in certain conditions.
• CVE-2022-3786 (OpenSSL) - A buffer overflow vulnerability in OpenSSL’s certificate verification that could lead to a denial of service.
• CVE-2022-3602 (OpenSSL) - Buffer overflow in OpenSSL’s X.509 email address parsing could allow remote code execution.
• CVE-2022-3358 (OpenSSL) - An improper input validation vulnerability in OpenSSL’s ASN.1 string parsing could cause denial of service.
• CVE-2022-2097 (OpenSSL) - Vulnerability in OpenSSL’s AES OCB mode resulting in incorrect decryption under specific conditions.
• CVE-2022-2068 (OpenSSL) - A command injection vulnerability in OpenSSL’s c_rehash script could allow remote code execution.
• CVE-2022-1473 (OpenSSL) - A vulnerability in OpenSSL’s PEM file processing that could lead to denial of service or memory corruption.
• CVE-2022-1434 (OpenSSL) - A timing side-channel attack in OpenSSL’s RSA signature verification could leak sensitive information.
• CVE-2022-1343 (OpenSSL) - A flaw in OpenSSL’s BN_mod_sqrt function that could result in incorrect results under specific conditions.
• CVE-2022-1292 (OpenSSL) - Vulnerability in OpenSSL’s c_rehash script allowing command injection under specific conditions.
• CVE-2022-0778 (OpenSSL) - Flaw in OpenSSL’s BN_mod_sqrt function leading to an infinite loop and denial of service.
• CVE-2021-4160 (OpenSSL) - A vulnerability in OpenSSL’s CMP client leading to a double-free, potentially causing denial of service.
• CVE-2021-4044 (OpenSSL) - A vulnerability in OpenSSL’s SSL/TLS server that could allow a denial of service attack through memory exhaustion.
• CVE-2023-45143 (undici) - A prototype pollution vulnerability in undici's fetch API that could lead to arbitrary code execution.
• CVE-2023-45853 (zlib) - Buffer overflow vulnerability in zlib’s decompression routine that could lead to denial of service or code execution.
• GHSA-wqq4-5wpv-mx2g (undici) - A potential header injection vulnerability in undici that could lead to HTTP response splitting.
• GHSA-3787-6prv-h9w3 (undici) - A resource exhaustion vulnerability in undici due to improper handling of request cancellation.
• GHSA-cggh-pq45-6h9x (llhttp) - A denial of service vulnerability in llhttp caused by malformed HTTP requests leading to infinite loop.