Developers at Node.js over the weekend released a critical update to the open source runtime environment that addresses a bug that could be used to cause denial of service attacks.
“The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path,” the post claims.
The post goes on to warn the issue affects most networking and filesystem operations, along with “many user-land users of Buffer to UTF8 Strong conversion.”
Trevor Norris, an io.js and node.js Core Maintainer and Kris Reeves, an engineer at BBH Media, discovered the vulnerability and according to io.js’s blog it was fixed by Fedor Indutny, a node.js and io.js core team member.
Prepare to upgrade your io.js/nodejs deployments with this next security update. It's a doozy. Will publish details after significant uptake
— φrevor ηorris (@trevnorris) July 3, 2015
Devs behind the fix acknowledged that the Friday before a major U.S. holiday, the Fourth of July, wasn’t the best time to deploy a critical update but that details regarding the bug and a potential exploit had inadvertently surfaced on a public forum.
“We’d rather given companies and users the tools to protect themselves and mitigate DoS if they happen to become a reality than sit on it and cross our fingers,” the devs wrote.
FYI we didn't push io.js and Node releases late on the Fri before the July 4 for fun, info about the bug/exploit was in the public domain
— Rod Vagg.js (@rvagg) July 4, 2015
The post adds that the initial ETA for the update was midday Friday PST but the patch wasn’t ready and that there was an extended test and verification process for V8, io.js and Node.js during the day.
— Frederic Hemberger (@fhemberger) July 4, 2015
— node js (@nodejs) July 4, 2015
A fix for the bug was committed in Google’s V8 on Monday.