Home Original page

doc: describe what security issues are · nodejs/node@33fdbb5

@@ -172,6 +172,51 @@ Your email will be acknowledged within 24 hours, and you’ll receive a more

172172

detailed response to your email within 48 hours indicating the next steps in

173173

handling your report.

174174175+

There are no hard and fast rules to determine if a bug is worth reporting as

176+

a security issue. The general rule is any issue worth reporting

177+

must allow an attacker to compromise the confidentiality, integrity

178+

or availability of the Node.js application or its system for which the attacker

179+

does not already have the capability.

180+181+

To illustrate the point, here are some examples of past issues and what the

182+

Security Reponse Team thinks of them. When in doubt, however, please do send

183+

us a report nonetheless.

184+185+186+

### Public disclosure preferred

187+188+

- [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain

189+

function can be used to cause segfaults_. Causing program termination using

190+

either the public Javascript APIs or the private bindings layer APIs requires

191+

the ability to execute arbitrary Javascript code, which is already the highest

192+

level of privilege possible.

193+194+

- [#12141](https://github.com/nodejs/node/pull/12141): _buffer: zero fill

195+

Buffer(num) by default_. The buffer constructor behaviour was documented,

196+

but found to be prone to [mis-use](https://snyk.io/blog/exploiting-buffer/).

197+

It has since been changed, but despite much debate, was not considered misuse

198+

prone enough to justify fixing in older release lines and breaking our

199+

API stability contract.

200+201+

### Private disclosure preferred

202+203+

- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):

204+

_Fix invalid wildcard certificate validation check_. This is a high severity

205+

defect that would allow a malicious TLS server to serve an invalid wildcard

206+

certificate for its hostname and be improperly validated by a Node.js client.

207+208+

- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes

209+

the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities

210+

in the TLS/SSL protocols also effect Node.js.

211+212+

- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):

213+

_Fix defects in HTTP header parsing for requests and responses that can allow

214+

response splitting_. While the impact of this vulnerability is application and

215+

network dependent, it is remotely exploitable in the HTTP protocol.

216+217+

When in doubt, please do send us a report.

218+219+175220

## Current Project Team Members

176221177222

The Node.js project team comprises a group of core collaborators and a sub-group