Critical security releases for node.js and io.js

First, the obvious: the handling of this hasn’t been ideal, it would have been nice to take our time and do this more strategically. It’s evening in the USA and it’s the weekend of the 4th of July.

We made the call to push forward because details about the bug and potential exploit has inadvertently made its way to a public forum so we’d rather given companies and users the tools to protect themselves and mitigate DoS if they happen to become a reality than sit on it and cross our fingers. The timing sucks, particularly for the USA where it’s hitting the weekend and the whole 4th of July thing makes this a nightmare for people managing large deployments but this is the call we made with the information available.

A short history

Kris Reeves and Trevor Norris pinpointed a bug in V8 in the way it decodes UTF strings. This impacts Node at the Buffer to UTF8 String conversion and can cause a process to crash. The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path. We know that most networking and filesystem operations are impacted as would be many user-land uses of Buffer to UTF8 String conversion. We know that HTTP(S) header parsing is not vulnerable because Node does not convert this data as UTF8. This is a small consolation because it restricts the way HTTP(S) can be exploited but there is more to HTTP(S) than header parsing obviously. We also have no information yet on how the various TLS terminators and forward-proxies in use may potentially mitigate against the form of data required for this exploit.

The initial ETA was midday PDT. Unfortunately, the patch wasn’t quite ready and there was an extended test and verification process for V8, io.js and Node.js during the day. The builds also take some time on top of that, hence the delay. Fedor Indutny created the fix, Ben Noordhuis, Trevor Norris, Julien Gilli, Rod Vagg, Michael Dawson and Jeremiah Senkpiel all worked very hard to make this land successfully.