Hostname Spoofing Vulnerability in Node.js by Node.js Foundation
CVE-2018-12123

4.3MEDIUM

Key Information:

Vendor

The Node.js Project

Status
Node.js
Vendor
CVE Published:
28 November 2018

What is CVE-2018-12123?

A vulnerability exists in Node.js's URL parser affecting multiple versions. This flaw allows a malicious user to spoof hostnames using mixed case 'javascript:' protocol calls, leading to potential misjudgment in security decisions based on these hostnames. Applications that rely on url.parse() may incorrectly interpret the URL due to this spoofing capability, posing security risks in environments where hostname fidelity is critical.

Affected Version(s)

Node.js All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0

References

https://nodejs.org/en/blog/vulnerability/november-2018-se...
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:1821
vendor-advisoryx_refsource_REDHAT
https://security.gentoo.org/glsa/202003-48
vendor-advisoryx_refsource_GENTOO

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.