Node.js CVE 总结

CVE-2018-12123

影响版本：6.15.0, 8.14.0, 10.14.0, 11.3.0 之前
Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case “javascript:” (e.g. “javAscript:”) protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
利用：其实没什么用，顶多利用个 javascript 协议

影响版本：6.15.0, 8.14.0 之前
If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.
利用：发送非预期的路径给服务端

影响版本 6.x 之后
An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
利用

影响版本 8.5.0
Allow remote attackers to access unintended files, because a change to “..” handling was incompatible with the pathname validation used by unspecified community modules.
利用

影响版本
node-postgres 在处理类型为 Row Description 的 postgres 返回包时，将字段名拼接到代码中。由于没有进行合理转义，导致一个特殊构造的字段名可逃逸出代码单引号限制，造成代码执行漏洞。
利用

影响版本 Express 3.11, 4.5 之前
Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
太贵了，我看不起…利用