Summary
Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement.
We recommend that all users upgrade as soon as possible.
Downloads
Node.js-specific security flaws
Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception (depending on the version) if you call:
zlib.createDeflateRaw({windowBits: 8})
The windowBits parameter controls how much of a message zlib keeps in memory while compressing it. A larger "window", as it's called, means more opportunities to spot and compress repeated bits of text, but results in higher memory usage. windowBits is the base-2 logarithm of the size of this window in bytes, and previously could take any integer value from 8 to 15.
This problem (Node.js crashing or throwing an exception) could be remotely exploited using some of the existing WebSocket clients that may request a value of 8 for windowBits in certain cases or with a custom built WebSocket client. There may also exist other vectors through which a zLib operation would be initiated by a remote request with a window size that results in a value of windowBits of 8.
This problem was resolved within Node.js by changing any request for a windowBits size of 8 to use a windowsBits size of 9 instead. This is consistent with previous zLib behavior and we believe minimizes the impact of the change on existing applications.
This vulnerability has been assigned CVE-2017-14919.