A researcher has found a new vulnerability in Node.js, which could be exploited by attackers to perform a DDoS crash or even execute remote codes. The flaw was defined to be a feature in express-fileupload component in Node.js, which was downloaded more than 7 million times till now! An update for this flaw is available to patch.
Flaw in Node.js Can Cause DDoS or RCE Attacks
And since this system is prone to “design attacks”, a hacker could exploit any available vulnerability to inject incompatible types of objects to make errors, thus corrupting the code and eventually leading to DDoS crash. And as per Posix’s findings, there was a vulnerability in express-fileupload npm component of Node.js. The express-fileupload is used for flattening the JSON files fed into nested objects.
More specifically, the feature with, “parseNested” is responsible for this type of attack. If the parseNested feature is set with a “true” option, this would “instruct the server-sided application to start flattening the received data into nested JSON objects.” A hacker thus can feed the Content-Disposition “HTTP header with a payload, like “__proto__.toString” can trigger the attack.
Finally, the researcher said not all systems using the Node.js are vulnerable, but the ones using “parseNested” are. While this can be used for DDoS attacks, having the EJS combined with express-fileupload could lead to RCE. A fix for this available, and users are recommended to update to version 1.1.9 from npm.
Other Trending News:- News