DNS Rebinding Attack Vulnerability in Node.js Inspector by Node.js
CVE-2018-7160

8.8HIGH

Key Information:

Vendor

The Node.js Project

Status
Node.js
Vendor
CVE Published:
17 May 2018

What is CVE-2018-7160?

The Node.js inspector, available from version 6.x and later, is susceptible to a DNS rebinding vulnerability that may lead to remote code execution. Attackers can exploit this vulnerability by hosting a malicious website that, when accessed from a web browser on the same machine running Node.js, can bypass the same-origin policy. This allows the attacker to establish a connection to localhost or any accessible hosts within the local network. If a Node.js process is running with an active debug port, it becomes possible for the attacker to connect to it as a debugger, resulting in full code execution capabilities.

Affected Version(s)

Node.js ^6.0.0 || ^8.0.0 || ^9.0.0

References

https://www.oracle.com//security-alerts/cpujul2021.html
x_refsource_MISC
https://nodejs.org/en/blog/vulnerability/march-2018-secur...
x_refsource_CONFIRM
https://support.f5.com/csp/article/K63025104?utm_source=f...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-7160 : DNS Rebinding Attack Vulnerability in Node.js Inspector by Node.js