Exploiting and Mitigating Node.js CVE-2015-8027 & CVE-2015-6764 Vulnerabilities

Introduction

Node.js released a critical update in version 4 that fixed several security vulnerabilities, notably CVE-2015-8027 and CVE-2015-6764. This article explains the details of these bugs and how they can be triggered.

CVE-2015-8027 Denial of Service Vulnerability

The bug occurs when the parser.pause method is called without checking whether the parser object exists, causing a TypeError and crashing the process. The key concepts involved are highWaterMark , the HTTP UPGRADE method, and response handling.

highWaterMark

highWaterMark is a parameter that sets the buffer size for streams. In a Readable stream it limits the number of bytes buffered before reading; in a Writable stream it limits the amount of data waiting to be written. When the limit is exceeded the stream is paused, which is the trigger for the vulnerability. The default value is 16 KB (or 16 for object streams); setting it too low causes frequent system calls, while setting it too high wastes resources.

UPGRADE

UPGRADE is an HTTP/1.1 header method that asks the server to switch protocols. During an upgrade the server releases the current parser, leaving socket.parser null; subsequent calls therefore throw an error. The relevant code is in _http_server.js at line 371.

Response handling

Node.js stores outgoing ServerResponse objects in an array. When many responses are queued and the highWaterMark is exceeded, the socket is paused, leading to the same error.

Practical exploitation

To reproduce the issue, a server writes a 1024‑byte buffer for each request. A client then sends a flood of requests to fill the highWaterMark , followed by an UPGRADE request, causing the server to crash. Sample code (omitted for brevity) demonstrates this behavior. The vulnerability can also be mitigated by filtering traffic at the Nginx layer.

Warning: Do not misuse this information.

CVE-2015-6764 V8 Out‑of‑bounds Access Vulnerability

This V8 bug is unrelated to Node.js itself and involves JSON.stringify. Overriding an object's getter or toJSON method and changing an array’s length during serialization can produce out‑of‑bounds results. The article shows example code and the corrected behavior after the fix.

After the fix, V8 adds array‑type checks and a start parameter to the SerializeJSArraySlow method, preventing the erroneous length change.

Conclusion

Attention to detail is crucial for code quality and application stability, especially for libraries used by others.

Many exceptions are triggered by subtle bugs; thorough testing remains essential.

Upgrade to the patched versions: v5.1.1, v4.2.3, v0.12.9.

References:

https://nodejs.org/en/blog/vulnerability/cve-2015-8027_cve-2015-6764/

https://github.com/nodejs/node/blob/master/lib/_http_server.js#L454

https://github.com/nodejs/node/blob/master/lib/_http_server.js#L371

https://github.com/nodejs/node/blob/master/deps/v8/test/mjsunit/regress/regress-crbug-554946.js

https://github.com/nodejs/node/blob/76a552c938e43eebbd0795e974f71250529f8cf5/deps/v8/src/json-stringifier.h#L429

https://github.com/nodejs/node/blob/master/deps/v8/src/json-stringifier.h#L430