Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all active Node.js release lines, including Linux ARMv6 builds for Node.js 8.x (which had been delayed). We recommend that all Node.js users Read more…
(Update 28-February-2018) Security releases available Summary Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability. The original announcement Read more…
(Update 27-November-2018) Security releases available Summary Updates are now available for all active Node.js release lines. These include fixes for the vulnerabilities identified in the initial announcement (below). They also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2q, and upgrades of Node.js 10 and 11 to OpenSSL 1.1.0j. Read more…
(Update 16-August-2018) Security releases available Summary Updates are now available for all active Node.js release lines. These include upgrades for OpenSSL and fixes for the vulnerabilities identified in the initial announcement (below). We recommend that all users upgrade as soon as practical. Downloads & release details Downloads are available for Read more…
(Update 4-Jan-2021) Security releases available Updates are now available for v10,x, v12.x, v14.x and v15.x Node.js release lines for the following issues. In addition to the vulnerabilities listed below, these releases also include an update to npm in order to resolve an issue that was reported against npm by security Read more…
(Update 16-Nov-2020) Security releases available Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues. Denial of Service through DNS request (CVE-2020-8277) A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial Read more…
(Update 15-Sept-2020) Security releases available Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues. HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201) Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Read more…
