OpenSSL Vulnerability in Node.js Products by Node.js Foundation
CVE-2017-15896

9.1CRITICAL

Key Information:

Vendor: The Node.js Project
Status: Node.js
Vendor: CVE Published:; 11 December 2017

🔔 Create The Node.js Project Vulnerability Alert

What is CVE-2017-15896?

Node.js is impacted by an OpenSSL vulnerability where the use of SSL_read() during a TLS handshake could be exploited by active network attackers. This flaw allows attackers to send application data without proper TLS authentication and encryption, utilizing the TLS or HTTP2 modules. It is essential for users to update their Node.js products to secure versions to mitigate this risk.

Affected Version(s)

Node.js 4.0.0 and higher

Node.js 6.0.0 and higher

Node.js 8.0.0 and higher

References

https://nodejs.org/en/blog/vulnerability/december-2017-se...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2017
Vulnerability Reserved
Oct 25, 2017