CVE-2021-22931
CVE-2021-22931
In short
Node.js's DNS library doesn't properly validate hostnames returned by DNS servers, allowing attackers to inject malicious data that could crash the application, display wrong websites, or execute harmful code in web browsers.
Technical detail
The dns library fails to validate hostnames returned from DNS queries, enabling DNS response injection attacks. Attackers can exploit this via network-level DNS manipulation or compromised DNS servers to trigger XSS payloads, RCE, or application denial-of-service depending on how the application uses the returned hostname data.
Summary generated and translated by AI from the official description.
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
Affected products
NodeJS · NodeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://hackerone.com/reports/1178337https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/https://security.gentoo.org/glsa/202401-02https://security.netapp.com/advisory/ntap-20210923-0001/https://security.netapp.com/advisory/ntap-20211022-0003/https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html