Node.js is facing two security vulnerabilities, including a potentially major denial-of-service issue, with patches for the problems not available for a week. Releases of Node.js ranging from 0.12 to version 5 are vulnerable to one or both issues.
"We have two previously undisclosed vulnerabilities. One's not that a big deal [the out-of-bound access issue], one's a slightly bigger deal," said Mikeal Rogers, community manager for the foundation. "Both will be fixed on Wednesday (December 2)" via patches that will be available at Nodejs.org. Rogers said these vulnerabilities had not been exploited.
The bulletin describes the DoS vulnerability as widespread among Node versions. "A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high, and users of the affected versions should plan to upgrade when a fix is made available."
Despite the seriousness of the security issues, Node representatives stressed that users shouldn't be worried. The threat to the community is "minimal," Rogers said. "In fact, we already have fixes for both. It is a routine part of our security policy, which we take seriously, to inform our community of vulnerabilities, and then give them time to plan for an upgrade."
Rogers said Node.js security is under more scrutiny since the formation of the foundation, which is affiliated with the Linux Foundation. "We have much more formal and proper security policy now."