CVE-2022-32212

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-32212

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-32212.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-32212

Aliases

Downstream

ALPINE-CVE-2022-32212

DEBIAN-CVE-2022-32212

DLA-3137-1

DSA-5326-1

OESA-2023-1551

RHSA-2022:6389

RHSA-2022:6448

RHSA-2022:6449

RHSA-2022:6595

RHSA-2022:6985

SUSE-SU-2022:2415-1

SUSE-SU-2022:2416-1

SUSE-SU-2022:2417-1

SUSE-SU-2022:2425-1

SUSE-SU-2022:2430-1

SUSE-SU-2022:2491-1

SUSE-SU-2022:2551-1

SUSE-SU-2022:2855-1

SUSE-SU-2023:0408-1

SUSE-SU-2023:0419-1

UBUNTU-CVE-2022-32212

USN-6491-1

openSUSE-SU-2024:12199-1

openSUSE-SU-2024:12349-1

Related

Published

2022-07-14T15:15:08Z

Modified

2025-10-08T05:13:30.400093Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

References

https://hackerone.com/reports/1632921

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

c1da528bc25c9cc5a8240a7b4f136f5968f6e113

Fixed

c11b8215bd6388854efcc9302a7383c8c63b8127

Affected versions

v14.*

v14.15.0

v14.15.1

v14.15.2

v14.15.3

v14.15.4

v14.15.5

v14.16.0

v14.16.1

v14.17.0

v14.17.1

v14.17.2

v14.17.3

v14.17.4

v14.17.5

v14.17.6

v14.18.0

v14.18.1

v14.18.2

v14.18.3

v14.19.0

v14.19.1

v14.19.2

v14.19.3

v14.20.0