A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "nodejs-dev": "8.10.0~dfsg-2ubuntu0.4+esm4", "nodejs-doc": "8.10.0~dfsg-2ubuntu0.4+esm4", "nodejs": "8.10.0~dfsg-2ubuntu0.4+esm4", "nodejs-dbgsym": "8.10.0~dfsg-2ubuntu0.4+esm4" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "libnode64-dbgsym": "10.19.0~dfsg-3ubuntu1.3", "libnode64": "10.19.0~dfsg-3ubuntu1.3", "nodejs-doc": "10.19.0~dfsg-3ubuntu1.3", "nodejs": "10.19.0~dfsg-3ubuntu1.3", "libnode-dev": "10.19.0~dfsg-3ubuntu1.3", "nodejs-dbgsym": "10.19.0~dfsg-3ubuntu1.3" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "nodejs-doc": "12.22.9~dfsg-1ubuntu3.2", "libnode72": "12.22.9~dfsg-1ubuntu3.2", "nodejs": "12.22.9~dfsg-1ubuntu3.2", "libnode-dev": "12.22.9~dfsg-1ubuntu3.2", "libnode72-dbgsym": "12.22.9~dfsg-1ubuntu3.2", "nodejs-dbgsym": "12.22.9~dfsg-1ubuntu3.2" } ] }