惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

云风的 BLOG
云风的 BLOG
C
Cyber Attacks, Cyber Crime and Cyber Security
Recent Announcements
Recent Announcements
爱范儿
爱范儿
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Security Latest
Security Latest
J
Java Code Geeks
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Cisco Talos Blog
Cisco Talos Blog
Apple Machine Learning Research
Apple Machine Learning Research
C
Check Point Blog
T
Threat Research - Cisco Blogs
I
Intezer
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
WordPress大学
WordPress大学
Engineering at Meta
Engineering at Meta
腾讯CDC
Google DeepMind News
Google DeepMind News
Project Zero
Project Zero
T
Tenable Blog
V
Visual Studio Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
Spread Privacy
Spread Privacy
GbyAI
GbyAI
T
Tailwind CSS Blog
P
Palo Alto Networks Blog
Microsoft Security Blog
Microsoft Security Blog
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog
NISL@THU
NISL@THU
Blog — PlanetScale
Blog — PlanetScale
G
GRAHAM CLULEY
K
Kaspersky official blog
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
P
Proofpoint News Feed
S
SegmentFault 最新的问题
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
博客园 - 【当耐特】
Cyberwarzone
Cyberwarzone
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
V
Vulnerabilities – Threatpost
H
Help Net Security
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Last Week in AI
Last Week in AI
博客园 - 叶小钗

Node.js Blog

Node.js — Security Bug Bounty Program Paused Due to Loss of Funding Node.js — Node.js 25.9.0 (Current) Node.js — Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 Node.js — Node.js 25.8.2 (Current) Node.js — Node.js 24.14.1 (LTS) Node.js — Node.js 22.22.2 (LTS) Node.js — Node.js 20.20.2 (LTS) Node.js — Tuesday, March 24, 2026 Security Releases Node.js — Node.js 25.8.1 (Current) Node.js — Evolving the Node.js Release Schedule Node.js — Node.js 22.22.1 (LTS) Node.js — Node.js 20.20.1 (LTS) Node.js — Node.js 25.8.0 (Current) Node.js — Node.js 25.7.0 (Current) Node.js — Node.js 24.14.0 (LTS) Node.js — New HackerOne Signal Requirement for Vulnerability Reports Node.js — Node.js 25.6.1 (Current) Node.js — Node.js 24.13.1 (LTS) Node.js — Node.js 25.6.0 (Current) Node.js — OpenSSL Security Advisory Assessment, January 2026 Node.js — Node.js 25.5.0 (Current) Node.js — Chalk to Node.js util styleText Node.js — Node.js 25.4.0 (Current) Node.js — Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users Node.js — Node.js 22.22.0 (LTS) Node.js — Node.js 25.3.0 (Current) Node.js — Node.js 24.13.0 (LTS) Node.js — Node.js 20.20.0 (LTS) Node.js — Tuesday, January 13, 2026 Security Releases Node.js — Node.js 24.12.0 (LTS) Node.js — Node.js 20.19.6 (LTS) Node.js — Node.js 25.2.1 (Current) Node.js — Node.js 24.11.1 (LTS) Node.js — Node.js 25.2.0 (Current) Node.js — Node.js 25.1.0 (Current) Node.js — Node.js 22.21.1 (LTS) Node.js — Node.js 24.11.0 (LTS) Node.js — Node.js v22 to v24 Node.js — Node.js v20 to v22 Node.js — Node.js v14 to v16 Node.js — Node.js v12 to v14 Node.js — Node.js 22.21.0 (LTS) Node.js — Node.js 25.0.0 (Current) Node.js — Node.js 24.10.0 (Current) Node.js — Node.js 24.9.0 (Current) Node.js — Node.js 22.20.0 (LTS) Node.js — Node.js 24.8.0 (Current) Node.js — Node.js 20.19.5 (LTS) Node.js — Node.js 22.19.0 (LTS) Node.js — Node.js 24.7.0 (Current) Node.js — Node.js 24.6.0 (Current) Node.js — Node.js 22.18.0 (LTS) Node.js — Node.js 24.5.0 (Current) Node.js — Node.js 20.19.4 (LTS) Node.js — Node.js 22.17.1 (LTS) Node.js — Node.js 24.4.1 (Current) Node.js — Tuesday, July 15, 2025 Security Releases Node.js — Node.js 24.4.0 (Current) Node.js — Node.js LGBTQIA+ Stories: Emelia Smith Node.js — Open sourced identity Node.js — Node.js 22.17.0 (LTS) Node.js — Node.js 24.3.0 (Current) Node.js — Node.js 20.19.3 (LTS) Node.js — In Memory of Mikeal Rogers: A Builder of Communities Node.js — Node.js 24.2.0 (Current) Node.js — Beware of End-of-Life Node.js Versions - Upgrade or Seek Post-EOL Support Node.js — Trip report: Node.js collaboration summit (2025 Paris) Node.js — Node.js 22.16.0 (LTS) Node.js — Node.js 24.1.0 (Current) Node.js — Node.js 24.0.2 (Current) Node.js — Node.js 23.11.1 (Current) Node.js — Node.js 22.15.1 (LTS) Node.js — Node.js 20.19.2 (LTS) Node.js — Wednesday, May 14, 2025 Security Releases Node.js — Node.js 24.0.1 (Current) Node.js — Node.js 24.0.0 (Current) Node.js — Node.js Test CI Security Incident Node.js — Node.js 22.15.0 (LTS) Node.js — Node.js 20.19.1 (LTS) Node.js — Making Node.js Downloads Reliable Node.js — Node.js 23.11.0 (Current) Node.js — Node.js 23.10.0 (Current) Node.js — Node.js 20.19.0 (LTS) Node.js — Updates on CVE for End-of-Life Versions Node.js — Node.js 23.9.0 (Current) Node.js — Node.js 18.20.7 (LTS) Node.js — Node.js 20.18.3 (LTS) Node.js — Node.js 9.3.0 (Current) Node.js — Data Confidentiality/Integrity Vulnerability, December 2017 Node.js — Node.js 9.2.1 (Current) Node.js — Node.js 8.9.3 (LTS) Node.js — Node.js 4.8.7 (Maintenance) Node.js — Node.js 8.9.2 (LTS) Node.js — Node.js 6.12.1 (LTS) Node.js — Node.js 9.2.0 (Current) Node.js — Node.js 8.9.1 (LTS) Node.js — Node.js 9.1.0 (Current) Node.js — Node.js 0.10.35 (Stable) Node.js — Node.js 0.10.34 (Stable) Node.js — Node.js 0.10.29 (Stable)
Node.js — August 2018 Security Releases
2018-08-11 · via Node.js Blog

Rod Vagg

(Update 16-August-2018) Security releases available

Summary

Updates are now available for all active Node.js release lines. These include upgrades for OpenSSL and fixes for the vulnerabilities identified in the initial announcement (below).

We recommend that all users upgrade as soon as practical.

Downloads & release details

Downloads are available for the following versions. Details of code changes can also be found on each release page.

OpenSSL: Client DoS due to large DH parameter (CVE-2018-0732)

All actively supported release lines of Node.js are impacted by this flaw. Patches are included in both OpenSSL 1.1.0i (Node.js 10) and 1.0.2p (Node.js 6 LTS "Boron" and Node.js 8 LTS "Carbon").

This fixes a potential denial of service (DoS) attack against client connections by a malicious server. During a TLS communication handshake, where both client and server agree to use a cipher-suite using DH or DHE (Diffie–Hellman, in both ephemeral and non-ephemeral modes), a malicious server can send a very large prime value to the client. Because this has been unbounded in OpenSSL, the client can be forced to spend an unreasonably long period of time to generate a key, potentially causing a denial of service.

Impact:

  • All previous versions of Node.js 6.x (LTS "Boron") are vulnerable
  • All previous versions of Node.js 8.x (LTS "Carbon") are vulnerable
  • All previous versions of Node.js 10.x (Current) are vulnerable

Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)

Node.js does not expose RSA key generation functionality. Therefore, Node.js is not impacted by this vulnerability.

All actively supported release lines of Node.js are impacted by this flaw. Patches are included in both OpenSSL 1.1.0i (Node.js 10) and 1.0.2p (Node.js 6 LTS "Boron" and Node.js 8 LTS "Carbon").

Attackers with access to observe cache-timing may be able to extract DSA or ECDSA private keys by causing the victim to create several signatures and watching responses. This flaw does not have a CVE due to OpenSSL policy to not assign itself CVEs for local-only vulnerabilities that are more academic than practical. This vulnerability was discovered by Keegan Ryan at NCC Group and impacts many cryptographic libraries including OpenSSL.

Impact:

  • All previous versions of Node.js 6.x (LTS "Boron") are vulnerable
  • All previous versions of Node.js 8.x (LTS "Carbon") are vulnerable
  • All previous versions of Node.js 10.x (Current) are vulnerable

Unintentional exposure of uninitialized memory (CVE-2018-7166)

Only Node.js 10 is impacted by this flaw. Our previous announcement wrongly stated that all release lines were vulnerable.

Node.js TSC member Сковорода Никита Андреевич (Nikita Skovoroda / @ChALkeR) discovered an argument processing flaw that causes Buffer.alloc() to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying encoding can be passed as a number, this is misinterpreted by Buffer's internal "fill" method as the start to a fill operation. This flaw may be abused where Buffer.alloc() arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.

Impact:

  • All versions of Node.js 6.x (LTS "Boron") are NOT vulnerable
  • All versions of Node.js 8.x (LTS "Carbon") are NOT vulnerable
  • All previous versions of Node.js 10.x (Current) are vulnerable

Out of bounds (OOB) write (CVE-2018-12115)

All actively supported release lines of Node.js are impacted by this flaw.

Node.js TSC member Сковорода Никита Андреевич (Nikita Skovoroda / @ChALkeR) discovered an OOB write in Buffer that can be used to write to memory outside of a Buffer's memory space. This can corrupt unrelated Buffer objects or cause the Node.js process to crash.

When used with UCS-2 encoding (recognized by Node.js under the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le'), Buffer#write() can be abused to write outside of the bounds of a single Buffer. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written.

Impact:

  • All previous versions of Node.js 6.x (LTS "Boron") are vulnerable
  • All previous versions of Node.js 8.x (LTS "Carbon") are vulnerable
  • All previous versions of Node.js 10.x (Current) are vulnerable

Original post is included below

Summary

The Node.js project will be releasing new versions for each of its supported release lines on, or shortly after, the 15th of August, 2018 (UTC). These releases will incorporate a number of security fixes and an upgraded version of OpenSSL.

We consider all of the flaws being addressed in these releases to be low severity. However, users should assess the severity of the impact on their own applications using the information disclosed here and the additional disclosure that will come with the releases.

OpenSSL 1.1.0i and 1.0.2p

The OpenSSL team have announced that OpenSSL 1.1.0i and 1.0.2p will be made available on the 14th of August, 2018. There will be three "LOW severity" security fixes in this release that have already been disclosed, and the fixes made available on the OpenSSL git repository. Two of these items are relevant to Node.js users:

  • OpenSSL: Client DoS due to large DH parameter (CVE-2018-0732)
  • OpenSSL: ECDSA key extraction via local side-channel (CVE not assigned)

Impact:

  • All versions of Node.js 6.x (LTS "Boron") are impacted via OpenSSL 1.0.2
  • All versions of Node.js 8.x (LTS "Carbon") are impacted via OpenSSL 1.0.2
  • All versions of Node.js 10.x (Current) are impacted via OpenSSL 1.1.0

Node.js security inclusions

  • Unintentional exposure of uninitialized memory (CVE-2018-7166)
  • Out of bounds (OOB) write (CVE-2018-12115)

All actively supported release lines of Node.js are impacted by these flaws.

Additional inclusions

We will also be including the following items in these releases for LTS release lines:

The Node.js 10 "Current" release will not be limited to only security-related updates, as per policy for non-LTS release lines.

Release timing

Releases will be available at, or shortly after, the 15th of August, 2018 (UTC), along with disclosure of details of the flaws addressed in order to allow for complete impact assessment by users.

The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security.

Please contact [email protected] if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.