Thursday, September 14, 2023
HomeNodejsFebruary 2020 Safety Launches|Node.js

February 2020 Safety Launches|Node.js

( Update 6-February-2020) Protection launches readily available

Updates are currently readily available for all energetic Node.js launch lines for the complying with concerns.

Influenced Node.js variations can be made use of to execute HTTP desync assaults as well as supply destructive hauls to unwary customers. The hauls can be crafted by an aggressor to pirate individual sessions, poisonous substance cookies, execute clickjacking, as well as a plethora of various other assaults relying on the design of the underlying system.

Reported by Ethan Rubinson, a software program designer at

Optional whitespace ought to be cut from HTTP header worths. Its existence might enable opponents to bypass protection checks based upon HTTP header worths.

Reported by Alyssa Wilk from Google.

From another location set off an assertion on a TLS web server with a misshapen certification string (High) (CVE-2019-15604)

Attaching to a NodeJS TLS web server with a customer certification that has a kind 19 string in its subjectAltName will certainly collapse the TLS web server if it attempts to review the peer certification.

Reported by Rogier Schouten as well as Melvin Groenhoff.

Enhance the strictness of HTTP header parsing. There are no well-known susceptabilities attended to, yet lax HTTP parsing has actually traditionally given troubles. Some typically made use of websites are understood to produce void HTTP headers, a -- insecure-http-parser CLI choice or insecureHTTPParser http choice can be made use of if essential for interoperability, yet is not suggested.

Downloads & & launch information


The Node.js task will certainly launch brand-new variations of all sustained launch lines on or quickly after Tuesday, February fourth, 2020.

One Important extent as well as 2 High extent concerns will certainly be taken care of. The launch likewise consists of more stringent HTTP parsing.


All sustained variations (10.x, 12.x, as well as 13. x) of Node.js are susceptible.

Launch timing

Launches will certainly be readily available at, or quickly after, Tuesday, February fourth, 2020.

The present Node.js protection plan can be located at Please comply with the procedure laid out in if you want to report a susceptability in Node.js.

Sign up for the low-volume announcement-only nodejs-sec subscriber list at!forum/nodejs-sec to keep up to day on protection susceptabilities as well as security-related launches of Node.js as well as the jobs preserved in the nodejs GitHub company.


Most Popular

Recent Comments