Developers at Node.js over the weekend released a critical update to the open source runtime environment that addresses a bug that could be used to cause denial of service attacks.
The JavaScript framework is used in one way or another by a handful of companies, including Netflix, PayPal, the New York Times, WalMart, GE, and LinkedIn. The five year old open source tool, overseen by Joyent Inc., is used by businesses to build APIs, apps, and mobile sites, among other infrastructure.
According to an io.js blog post on Medium last Friday, the issue stems from a bug in Google’s open source JavaScript engine V8 and the way it decodes UTF strings. The bug affects Node.js at the Buffer to UTF8 String conversion and if exploited, can crash processes.
“The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path,” the post claims.
The post goes on to warn the issue affects most networking and filesystem operations, along with “many user-land users of Buffer to UTF8 Strong conversion.”
Trevor Norris, an io.js and node.js Core Maintainer and Kris Reeves, an engineer at BBH Media, discovered the vulnerability and according to io.js’s blog it was fixed by Fedor Indutny, a node.js and io.js core team member.
Prepare to upgrade your io.js/nodejs deployments with this next security update. It's a doozy. Will publish details after significant uptake
— trevnorris (@trevnorris) July 3, 2015
Devs behind the fix acknowledged that the Friday before a major U.S. holiday, the Fourth of July, wasn’t the best time to deploy a critical update but that details regarding the bug and a potential exploit had inadvertently surfaced on a public forum.
“We’d rather given companies and users the tools to protect themselves and mitigate DoS if they happen to become a reality than sit on it and cross our fingers,” the devs wrote.
FYI we didn't push io.js and Node releases late on the Fri before the July 4 for fun, info about the bug/exploit was in the public domain
— Rod Vagg (@rvagg) July 4, 2015
The post adds that the initial ETA for the update was midday Friday PST but the patch wasn’t ready and that there was an extended test and verification process for V8, io.js and Node.js during the day.
https://twitter.com/fhemberger/status/617300392821587968
While version 0.10 is not affected, those who use version 0.12 of Node.js are being encouraged to download the most recent version of the platform, 0.12.6, to fix the bug. Io.js, a separate JavaScript platform based on Node has also pushed out updates, versions 2.3 and 1.8, to incorporate the fix.
Node.js v0.12.6 (Stable): http://t.co/UyKGamlZFB fixes a severe security issue #nodejs
— Node.js (@nodejs) July 4, 2015
A fix for the bug was committed in Google’s V8 on Monday.