The Node.js project has scheduled updates for all of its active release lines to patch two security flaws and one security-related usability flaw. We do not consider any of our updates to be critical, however, it is recommended that all production instances of Node.js be upgraded when the releases are made available.
We intend to make releases available on or soon after
Thursday, the 16th of June, 2016, UTC.
We consider some of the patches in these releases to be API
breaking changes which would normally warrant an increase in the major-version number of Node.js. However, in accordance with our security procedures we will be delivering these changes in minor-version increases
(the y in x.y.z) where appropriate, and patch-version increases in v0.10 an v0.12 releases.
Therefore, we expect to be releasing:
- Node.js v6.3.0 (Current)
- Node.js v5.12.0
- Node.js v4.5.0 (LTS "Argon")
- Node.js v0.12.15 (Maintenance)
- Node.js v0.10.46 (Maintenance)
While we anticipate minimal impact from the breaking changes, please be sure to review the details once they are released and make an assessment regarding the impact on your applications.
Additional notes:
- It is our intention to stop releasing critical updates for the v5 release line at the end of this month, you should migrate to to v6 or v4 LTS if you have not already done so.
- In accordance with our security release procedures, we will be limiting changes included in the LTS and Maintenance lines (v4, v0.12 and v0.10) for these updates to only security-related and critical fixes to provide maximum stability for users.
V8 security defectThe V8 team has identified and patched a potential security vulnerability. We will be backporting the fix to all active release lines of Node.js. Our current assessment is that this vulnerability should be considered low-severity for Node.js users with an exploit being very difficult to develop and execute.
All versions of Node.js are affected.HTTP processing security defect (CVE-2016-5325)We will be including fixes relating to Node.js HTTP processing. We categorise these as low-severity and are not aware of any existing exploits leveraging the defects. Full details are embargoed until new releases are available.
Common Vulnerability Scoring System (CVSS) v3 Base Score:
| Metric | Score |
|-----------------------------|----------------------------|
| **Base Score:** | 4.8 (Medium) |
| **Base Vector:** | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
| **Attack Vector:** | Network (AV:N) |
| **Attack Complexity:** | High (AC:H) |
| **Privileges Required:** | None (PR:N) |
| **User Interaction:** | None (UI:N) |
| **Scope of Impact:** | Unchanged (S:U) |
| **Confidentiality Impact:** | Low (C:L) |
| **Integrity Impact:** | Low (I:L) |
| **Availability Impact:** | None (A:N) |
Refer to the
CVSS v3 Specification for details on the meanings and application of the vector components.
All versions of Node.js are affected.This defect will identified as
CVE-2016-5325Security-related HTTP client usability flawWe intend to also include a patch for HTTP client in Node.js. While we do not consider this to be strictly a security concern for Node.js core, it poses a usability concern that may easily enable users to write code that exposes vulnerabilities in their applications.
All versions of Node.js are affected.Contact and future updatesPlease monitor the nodejs-sec Google Group for updates:
https://groups.google.com/forum/#!forum/nodejs-sec or the Node.js website for release announcements:
https://nodejs.org/en/blog/
The current Node.js security policy can be found at
https://nodejs.org/en/security/.
Please contact
secu...@nodejs.org if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at
https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the
nodejs GitHub organisation.