V8 High CVE Backports. CVE-2024-4761 / CVE-2024-4947 / CVE-2024-5274

[gian cordero ortiz]

Good morning/afternoon. 

There are 3 high V8 CVEs that have been recently fixed. I'd like to know if they will be backported to V8 versions 10.2.154.x (used by Node 18.20.4) and 11.3.244.x (Used by Node 20.16.0)

See

• https://github.com/nodejs/node/blob/v18.20.4/deps/v8/include/v8-version.h
  
• https://github.com/nodejs/node/blob/v20.16.0/deps/v8/include/v8-version.h

The CVEs are: 
https://nvd.nist.gov/vuln/detail/CVE-2024-4761. (Score 8.8)

• Out of bounds write. 
• Fixed in version 12.6.213
• Fixed by this commit 

https://nvd.nist.gov/vuln/detail/CVE-2024-4947

• Type Confusion. 
• Fixed in version 12.0.267.27
• Fixed by this commit

https://nvd.nist.gov/vuln/detail/CVE-2024-5274

• Type Confusion. 
• Fixed in version 12.4.254.20
• Fixed by this commit

These are high CVEs identified by CISA as being KEV. 

[Omer Katz]

I don't recall the exact criteria, but V8 doesn't usually back merge fixes that far back.

Version 11.3 is over a year old and version 10.2 is over 2 years old by now.

[jo...@igalia.com]

If you are only looking into it for Node.js, these are only security vulnerability in Chromium's threat model which defends against untrusted code. In the threat model of Node.js, which trusts all JS code given to it to execute, these are at most regular bugs. V8 doesn't maintain these old releases and Node.js maintains support for its vendored version of V8 in active releases to some extent, you could submit a backport to Node.js's v20 and v18 release lines (see https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-V8.md), though it'll be up to the Node.js release team to decide whether or when they'll be accepted (as these are not really security vulnerabilities for Node.js, they are not likely to be considered prioritized).

Regards,

Joyee