Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CVE-2015-7384 Denial of Service Vulnerability #3138
Originally posted @ https://groups.google.com/forum/#!topic/nodejs-sec/fSNEQiuof6I
Description and CVSS Score
A bug exists in Node.js versions 4.0.0 to 4.1.1 whereby an external attacker can cause a denial of service. The severity of this issue is high (see CVSS scoring below) and users of the affected versions should plan to upgrade when a fix is made available.
Full details of this vulnerability are embargoed until a new v4.x release is made available on Monday the 5th of October 2015, UTC.
Common Vulnerability Scoring System (CVSS) v3 Base Score:
Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.
Action and updates
A new v4.x release on Monday the 5th of October 2015 will be made available with appropriate fixes for this vulnerability along with disclosure of the details of the bug to allow for complete impact assessment by users.
A new io.js v3.x release will be made on or after Monday the 5th of October 2015 for users having trouble migrating to Node.js v4, however this release does not indicate continued official support of io.js release lines.
Contact and future updates
Please contact firstname.lastname@example.org if you wish to report a vulnerability in Node.js.
Please subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date with security vulnerabilities in Node.js and the projects maintained in the nodejs GitHub organisation.
v4.1.2 has been released @ https://nodejs.org/download/release/latest/, please update now if you're using v4.x or io.js v3.x in production.
The fix is in core, on
Please note that it is likely that this problem exists even behind a TLS terminator and/or load-balancer.