Security Updates: Node 0.12 and io.js

2015-07-04 10:27:31 +0100 by Alex R. Young

Today security updates for Node 0.12, io.js 2.3 and io.js 1.8 were released due to a UTF-8 decoding bug in V8:

Here's the technical overview from the io.js Medium post:

Kris Reeves and Trevor Norris pinpointed a bug in V8 in the way it decodes UTF strings. This impacts Node at the Buffer to UTF8 String conversion and can cause a process to crash. The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path. We know that most networking and filesystem operations are impacted as would be many user-land uses of Buffer to UTF8 String conversion. We know that HTTP(S) header parsing is not vulnerable because Node does not convert this data as UTF8. This is a small consolation because it restricts the way HTTP(S) can be exploited but there is more to HTTP(S) than header parsing obviously. We also have no information yet on how the various TLS terminators and forward-proxies in use may potentially mitigate against the form of data required for this exploit.

Node 0.10 is not affected. Thanks to Rod Vagg for letting me know about this!