惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
爱范儿
爱范儿
人人都是产品经理
人人都是产品经理
博客园 - 司徒正美
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位
罗磊的独立博客
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Cyberwarzone
Cyberwarzone
大猫的无限游戏
大猫的无限游戏
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
博客园 - 三生石上(FineUI控件)
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园_首页
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
T
The Exploit Database - CXSecurity.com
T
Tailwind CSS Blog
IT之家
IT之家
博客园 - 聂微东
Spread Privacy
Spread Privacy
V2EX - 技术
V2EX - 技术
S
Security Affairs
宝玉的分享
宝玉的分享
V
V2EX
C
Cisco Blogs
博客园 - Franky
美团技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
S
Securelist
J
Java Code Geeks
Webroot Blog
Webroot Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
WordPress大学
WordPress大学
W
WeLiveSecurity
T
Threatpost
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
阮一峰的网络日志
阮一峰的网络日志

Node.js Blog

Node.js — Security Bug Bounty Program Paused Due to Loss of Funding Node.js — Node.js 25.9.0 (Current) Node.js — Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 Node.js — Node.js 25.8.2 (Current) Node.js — Node.js 24.14.1 (LTS) Node.js — Node.js 22.22.2 (LTS) Node.js — Node.js 20.20.2 (LTS) Node.js — Tuesday, March 24, 2026 Security Releases Node.js — Node.js 25.8.1 (Current) Node.js — Evolving the Node.js Release Schedule Node.js — Node.js 22.22.1 (LTS) Node.js — Node.js 20.20.1 (LTS) Node.js — Node.js 25.8.0 (Current) Node.js — Node.js 25.7.0 (Current) Node.js — Node.js 24.14.0 (LTS) Node.js — New HackerOne Signal Requirement for Vulnerability Reports Node.js — Node.js 25.6.1 (Current) Node.js — Node.js 24.13.1 (LTS) Node.js — Node.js 25.6.0 (Current) Node.js — OpenSSL Security Advisory Assessment, January 2026 Node.js — Node.js 25.5.0 (Current) Node.js — Chalk to Node.js util styleText Node.js — Node.js 25.4.0 (Current) Node.js — Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users Node.js — Node.js 22.22.0 (LTS) Node.js — Node.js 25.3.0 (Current) Node.js — Node.js 24.13.0 (LTS) Node.js — Node.js 20.20.0 (LTS) Node.js — Tuesday, January 13, 2026 Security Releases Node.js — Node.js 24.12.0 (LTS) Node.js — Node.js 20.19.6 (LTS) Node.js — Node.js 25.2.1 (Current) Node.js — Node.js 24.11.1 (LTS) Node.js — Node.js 25.2.0 (Current) Node.js — Node.js 25.1.0 (Current) Node.js — Node.js 22.21.1 (LTS) Node.js — Node.js 24.11.0 (LTS) Node.js — Node.js v22 to v24 Node.js — Node.js v20 to v22 Node.js — Node.js v14 to v16 Node.js — Node.js v12 to v14 Node.js — Node.js 22.21.0 (LTS) Node.js — Node.js 25.0.0 (Current) Node.js — Node.js 24.10.0 (Current) Node.js — Node.js 24.9.0 (Current) Node.js — Node.js 22.20.0 (LTS) Node.js — Node.js 24.8.0 (Current) Node.js — Node.js 20.19.5 (LTS) Node.js — Node.js 22.19.0 (LTS) Node.js — Node.js 24.7.0 (Current) Node.js — Node.js 24.6.0 (Current) Node.js — Node.js 22.18.0 (LTS) Node.js — Node.js 24.5.0 (Current) Node.js — Node.js 20.19.4 (LTS) Node.js — Node.js 22.17.1 (LTS) Node.js — Node.js 24.4.1 (Current) Node.js — Tuesday, July 15, 2025 Security Releases Node.js — Node.js 24.4.0 (Current) Node.js — Node.js LGBTQIA+ Stories: Emelia Smith Node.js — Open sourced identity Node.js — Node.js 22.17.0 (LTS) Node.js — Node.js 24.3.0 (Current) Node.js — Node.js 20.19.3 (LTS) Node.js — In Memory of Mikeal Rogers: A Builder of Communities Node.js — Node.js 24.2.0 (Current) Node.js — Beware of End-of-Life Node.js Versions - Upgrade or Seek Post-EOL Support Node.js — Trip report: Node.js collaboration summit (2025 Paris) Node.js — Node.js 22.16.0 (LTS) Node.js — Node.js 24.1.0 (Current) Node.js — Node.js 24.0.2 (Current) Node.js — Node.js 23.11.1 (Current) Node.js — Node.js 22.15.1 (LTS) Node.js — Node.js 20.19.2 (LTS) Node.js — Wednesday, May 14, 2025 Security Releases Node.js — Node.js 24.0.1 (Current) Node.js — Node.js 24.0.0 (Current) Node.js — Node.js Test CI Security Incident Node.js — Node.js 22.15.0 (LTS) Node.js — Node.js 20.19.1 (LTS) Node.js — Making Node.js Downloads Reliable Node.js — Node.js 23.11.0 (Current) Node.js — Node.js 23.10.0 (Current) Node.js — Node.js 20.19.0 (LTS) Node.js — Updates on CVE for End-of-Life Versions Node.js — Node.js 23.9.0 (Current) Node.js — Node.js 18.20.7 (LTS) Node.js — Node.js 20.18.3 (LTS) Node.js — Node.js 9.3.0 (Current) Node.js — Data Confidentiality/Integrity Vulnerability, December 2017 Node.js — Node.js 9.2.1 (Current) Node.js — Node.js 8.9.3 (LTS) Node.js — Node.js 4.8.7 (Maintenance) Node.js — Node.js 8.9.2 (LTS) Node.js — Node.js 6.12.1 (LTS) Node.js — Node.js 9.2.0 (Current) Node.js — Node.js 8.9.1 (LTS) Node.js — Node.js 9.1.0 (Current) Node.js — Node.js 0.10.35 (Stable) Node.js — Node.js 0.10.34 (Stable) Node.js — Node.js 0.10.29 (Stable)
Node.js — December Security Release Summary
2015-12-04 · via Node.js Blog

Rod Vagg

Last week we announced the planned release of patch updates to the v0.12.x, v4.x and v5.x lines to fix two vulnerabilities. That was further amended by the announcement of OpenSSL updates with fixes for vulnerabilities labelled medium severity. The OpenSSL update impacts all active release lines, including v0.10.x.

Today we have released Node.js v0.10.41 (Maintenance), v0.12.9 (LTS), v4.2.3 "Argon" (LTS) and v5.1.1 (Stable) with fixes for the announced vulnerabilities and updates to OpenSSL. (/(/(/(/ For the purpose of understanding the impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances we are providing details below.

CVE-2015-8027 Denial of Service Vulnerability

This critical denial of service (DoS) vulnerability impacts all versions of v0.12.x through to v5.x, inclusive. The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an uncaughtException to be thrown. As these conditions can be created by an external attacker and cause a Node.js service to be shut down we consider this a critical vulnerability. It is recommended that users of impacted versions of Node.js exposing HTTP services upgrade to the appropriate patched versions as soon as practical.

  • Versions 0.10.x of Node.js are not affected.
  • Versions 0.12.x of Node.js are vulnerable, please upgrade to v0.12.9 (LTS).
  • Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
  • Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).

CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

A bug was discovered in V8's implementation of JSON.stringify() that can result in out-of-bounds reads on arrays. The patch was included in this week's update of Chrome Stable. While this bug is high severity for browsers, it is considered lower risk for Node.js users as it requires the execution of third-party JavaScript within an application in order to be exploitable.

Node.js users who expose services that process untrusted user-supplied JavaScript are at obvious risk. However, we recommend that all users of impacted versions of Node.js upgrade to the appropriate patched version in order to protect against malicious third-party JavaScript that may be executed within a Node.js process by other means.

  • Versions 0.10.x of Node.js are not affected.
  • Versions 0.12.x of Node.js are not affected.
  • Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
  • Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).

CVE-2015-3193 OpenSSL BN_mod_exp may produce incorrect results on x86_64

A bug exists in OpenSSL v1.0.2 in the Montgomery squaring procedure on the x64 architecture that expose potential attack vectors. Attacks against RSA and DSA are considered possible but with a very high degree of difficulty. Attacks against DHE key exchange is considered feasible but difficult. EC algorithms are not vulnerable. Node.js TLS servers using DHE key exchange are considered at highest risk although it is believed that Node.js' existing use of SSL_OP_SINGLE_DH_USE may make DHE attacks impractical. Details are available at http://openssl.org/news/secadv/20151203.txt.

OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users exposing TLS servers upgrade to patched versions as soon as practical.

  • Versions 0.10.x of Node.js are not affected.
  • Versions 0.12.x of Node.js are not affected.
  • Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
  • Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).(/ (/

CVE-2015-3194 OpenSSL Certificate verify crash with missing PSS parameter

A bug exists in OpenSSL v1.0.1 and v1.0.2 that may cause a crash during certificate verification procedures when supplied with a malformed ASN.1 signature using the RSA PSS algorithm. This may be used as a the basis of a denial of service (DoS) attack against Node.js TLS servers using client authentication. Node.js TLS clients are also impacted if supplied with malformed certificates for verification. Details are available at http://openssl.org/news/secadv/20151203.txt.

OpenSSL v1.0.0 is used in Node.js v0.10.x and v0.12.x. OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users employing either TLS client or server code upgrade as soon as practical.

  • Versions 0.10.x of Node.js are vulnerable, please upgrade to v0.10.41 (Maintenance).
  • Versions 0.12.x of Node.js are vulnerable, please upgrade to v0.12.9 (LTS).
  • Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
  • Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable). Note: Node.js users are not considered vulnerable to the two additional announced OpenSSL vulnerabilities: CVE-2015-3195 "X509_ATTRIBUTE memory leak" and CVE-2015-3196 "Race condition handling PSK identify hint". However, fixes for these bugs are included with the new versions of OpenSSL bundled with the newly patched versions of Node.js.