Node.js flaw
Node.js flaw

A researcher has found a new vulnerability in Node.js, which could be exploited by attackers to perform a DDoS crash or even execute remote codes. The flaw was defined to be a feature in express-fileupload component in Node.js, which was downloaded more than 7 million times till now! An update for this flaw is available to patch.

Flaw in Node.js Can Cause DDoS or RCE Attacks

Posix, a security researcher has discovered this vulnerability in an npm component of Node.js, which could be termed as Prototype Pollution in JavaScript. Since the JavaScript is a prototype-based programming language, every function, object and data structure within can be modified using a “__proto__” mutator.

And since this system is prone to “design attacks”, a hacker could exploit any available vulnerability to inject incompatible types of objects to make errors, thus corrupting the code and eventually leading to DDoS crash. And as per Posix’s findings, there was a vulnerability in express-fileupload npm component of Node.js. The express-fileupload is used for flattening the JSON files fed into nested objects.

More specifically, the feature with, “parseNested” is responsible for this type of attack. If the parseNested feature is set with a “true” option, this would “instruct the server-sided application to start flattening the received data into nested JSON objects.” A hacker thus can feed the Content-Disposition “HTTP header with a payload, like “__proto__.toString” can trigger the attack.

Vulnerable configuration for express-fileupload
Vulnerable configuration for express-fileupload

Besides just DDoS, the researcher has also described another possible Incident of this, which leads to executing code remotely. Well, this technique needs to leverage the Embedded JavaScript templates (EJS), a templating engine along with express-fileupload to exploit. If the EJS isn’t checking the uploaded data properly, an attacker can set HTTP request that overwrites the “outputFunctionName” option of EJS.

Finally, the researcher said not all systems using the Node.js are vulnerable, but the ones using “parseNested” are. While this can be used for DDoS attacks, having the EJS combined with express-fileupload could lead to RCE. A fix for this available, and users are recommended to update to version 1.1.9 from npm.

Other Trending News:-  News


Please enter your comment!
Please enter your name here