BestHub
Sign in
Information Security 3 min read

What Critical Security Fixes Did Node.js Release on Sep 28?

On September 28 Node.js issued four security updates—including maintenance releases 0.10.47 and 0.12.16, LTS 4.6.0 Argon, and stable 6.7.0—addressing multiple CVEs such as wildcard certificate validation, HTTP header validation, OCSP extension misuse, and the SWEET32 attack, and urging users to upgrade promptly.

Node Underground
Node Underground
Node Underground
What Critical Security Fixes Did Node.js Release on Sep 28?

On September 28, Node.js released four security update versions:

0.10.47 (maintenance)

0.12.16 (maintenance)

4.6.0 Argon (LTS)

6.7.0 (stable)

The updates address specific security issues in each sub‑version and unify the OpenSSL dependency to close known vulnerabilities.

Note: the v4.5.x line will no longer receive updates; upgrade to v4.6.0 as soon as possible.

The vulnerabilities fixed include:

CVE-2016-7099: Wildcard Certificate Validation Bug

Fixed an error in TLS server handling of the “*” wildcard validation check.

Fix commit: https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b

CVE-2016-5325: HTTP Header Validation Issue

Added a reason parameter to ServerResponse#writeHead() to validate allowed characters, mitigating potential HTTP Response Splitting attacks.

HTTP Response Splitting can enable XSS, web cache poisoning, etc. Fix commit: https://github.com/nodejs/node/commit/c0f13e56a20f9bde5a67d873a7f9564487160762

OpenSSL Vulnerabilities Overview

CVE-2016-6304: Unrestricted OCSP Status Request Extension

Allows a malicious client to exhaust server memory, causing a denial‑of‑service attack.

High severity – affects all Node.js versions.

CVE-2016-2183: SWEET32 Attack

Through SWEET32, an attacker can obtain authentication data (e.g., cookies) exchanged over HTTPS or OpenVPN.

More info: https://sweet32.info/ Impacts all Node.js versions.

For full details, see the original article.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Node.jssecurityinformation securitypatchCVEOpenSSL
Node Underground
Written by

Node Underground

No language is immortal—Node.js isn’t either—but thoughtful reflection is priceless. This underground community for Node.js enthusiasts was started by Taobao’s Front‑End Team (FED) to share our original insights and viewpoints from working with Node.js. Follow us. BTW, we’re hiring.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment