Node.js OS Command Injection Vulnerability Affecting Multiple Versions
CVE-2022-43548

8.1HIGH

Key Information:

Vendor

Nodejs

Status
Node
Vendor
CVE Published:
5 December 2022

What is CVE-2022-43548?

An OS Command Injection vulnerability exists in various Node.js versions, primarily stemming from an inadequate validation in the IsAllowedHost check. This flaw allows attackers to bypass validation checks for IP addresses, potentially leading to rebinding attacks that can compromise system security. Previous mitigations were incomplete, necessitating the issuance of this vulnerability notice to emphasize the need for updated security measures in affected Node.js versions.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://nodejs.org/en/blog/vulnerability/november-2022-se...
https://security.netapp.com/advisory/ntap-20230120-0004/
https://www.debian.org/security/2023/dsa-5326
vendor-advisory

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.