Summary
The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well
as the zlib vulnerability (CVE-2022-37434) patched on the zlib Security release of Oct 13 2022, does not affect Node.js.
Analysis OpenSSL
Our assessment of the security advisory is:
Using a Custom Cipher with
1
NID_undef
1 | NID_undef |
may lead to NULL encryption (CVE-2022-3358)
Node.js doesn’t call
1 | EVP_CIPHER_meth_new(NID_undef, ...) |
. Therefore, Node.js is not affected by this vulnerability.
Analysis zlib
Our assessment of the CVE-2022-37434 is:
Buffer overflow in inflate via a large gzip header extra field
Node.js doesn’t call
1 | inflateGetHeader |
. Therefore, Node.js is not affected by this vulnerability.
Further information, see: nodejs-dependency-vuln-assessments#50.
Node.js Vulnerability Assessment workflow
The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies.
This initiative aims to reduce the gap between a dependency security release and a Node.js assessment.
The repository is available at nodejs/nodejs-dependency-vuln-assessments, and the assessments are made through the
issues.
Ensure to watch the repository if you are interested in security patches.
Contact and future updates
The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security,
including information on how to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at
https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on
security vulnerabilities and security-related releases of Node.js and the
projects maintained in the
Node.js GitHub organization.
0 Comments