This can be exploited to crash the Node Package Manager (NPM) server by sending multiple CloseSession requests to it. An attacker can send a malicious package request to a victim’s installation of Node.js and receive an error message because Node.js has exceeded the maximum number of connections allowed. The NPM server that handles package request responses is vulnerable to an attacker sending multiple CloseSession requests, which will crash the server due to memory exhaustion. A malicious attacker can send a malicious package request to Node.js and crash the server in a DoS fashion by sending CloseSession requests with the deleteSubscription parameter equal to False. This can be exploited to crash the Node Package Manager (NPM) server. An attacker can send a malicious package request to Node.js and crash the server in a DoS fashion by sending CloseSession requests with the deleteSubscription parameter equal to False. End users need to be careful when installing packages from untrusted sources and avoid sending CloseSession requests with the deleteSubscription parameter equal to False. An attacker can send a malicious package request to Node.js and crash the server in a DoS fashion by sending CloseSession requests with the deleteSubscription parameter equal to False.
Vulnerability Scenario
An attacker sends a malicious package request to Node.js and crashes the server in a DoS fashion by sending CloseSession requests with the deleteSubscription parameter equal to False.
References
1.
CVE-2022-24375 - Node.js and NPM DoS Vulnerability
2.
https://www.npmjs.com/package/node-bin/npm
3.
https://github.com/npm/npm/issues/120
Categories of Node.js modules
Node Package Manager (NPM) is a dependency manager for the JavaScript runtime Node.js and the platform's package management system. It is widely used on development and build servers to manage installation and dependencies of projects, though it is also used by end users to install third-party packages locally. NPM has been criticized for having security vulnerabilities that are serious enough to be potentially exploited by attackers in specific cases, including one that is still being actively exploited to this day.
CVE-2022-24376
This can be exploited to crash the Node Package Manager (NPM) server by sending a malicious package request to a victim’s installation of Node.js and receiving an error message because Node.js has exceeded the maximum number of connections allowed. The NPM server that handles package request responses is vulnerable to an attacker sending a malicious package request, which will crash the server due to memory exhaustion. A malicious attacker can send a malicious package request to Node.js and crash the server in a DoS fashion by sending a malicious package request with the deleteSubscription parameter equal to False. This can be exploited to crash the Node Package Manager (NPM) server. An attacker can send a malicious package request to Node.js and crash the server in a DoS fashion by sending a malicious package request with the deleteSubscription parameter equal to False. End users need to be careful when installing packages from untrusted sources and avoid sending a malicious package request with the deleteSubscription parameter equal to False. An attacker can send a malicious package request to Node.js and crash the server in a DoS fashion by sending a malicious package request with the deleteSubscription parameter equal to False.
Timeline
Published on: 08/24/2022 05:15:00 UTC
Last modified on: 08/26/2022 12:52:00 UTC
References
- https://security.snyk.io/vuln/SNYK-JS-NODEOPCUA-2988725
- https://github.com/node-opcua/node-opcua/pull/1182
- https://github.com/node-opcua/node-opcua/commit/3fd46ec156e7718a506be41f3916310b6bdd0407
- https://github.com/node-opcua/node-opcua/commit/7b5044b3f5866fbedc3efabd05e407352c07bd2f
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24375