Node.js CVE-2017-11499 Denial of Service Vulnerability

Node.js is prone to a remote denial-of-service vulnerability.

Successful exploitation of the issue will cause a denial-of-service condition.

Node.js 4.0 through 4.8.3, 5.x, 6.0 through 6.11.0, 7.0 through 7.10.0, and 8.0 through 8.1.3 are vulnerable.

Information

Bugtraq ID: 99959
Class: Input Validation Error
CVE: CVE-2017-11499

Remote: Yes
Local: No
Published: Jul 11 2017 12:00AM
Updated: Jul 28 2017 05:08PM
Credit: Michael Dawson
Vulnerable: Joyent Node.js 8.1.3
Joyent Node.js 8.1.2
Joyent Node.js 8.1.1
Joyent Node.js 8.1
Joyent Node.js 8.0
Joyent Node.js 7.10
Joyent Node.js 7.9
Joyent Node.js 7.8
Joyent Node.js 7.7.4
Joyent Node.js 7.7.3
Joyent Node.js 7.7.2
Joyent Node.js 7.7.1
Joyent Node.js 7.7
Joyent Node.js 7.6
Joyent Node.js 7.5
Joyent Node.js 7.4
Joyent Node.js 7.3
Joyent Node.js 7.2.1
Joyent Node.js 7.2
Joyent Node.js 7.1
Joyent Node.js 7.0
Joyent Node.js 6.11
Joyent Node.js 6.10.3
Joyent Node.js 6.10.2
Joyent Node.js 6.10.1
Joyent Node.js 6.10
Joyent Node.js 6.9.5
Joyent Node.js 6.9.4
Joyent Node.js 6.9.3
Joyent Node.js 6.9.2
Joyent Node.js 6.9.1
Joyent Node.js 6.9
Joyent Node.js 6.8.1
Joyent Node.js 6.8
Joyent Node.js 6.7
Joyent Node.js 6.6
Joyent Node.js 6.5
Joyent Node.js 6.4
Joyent Node.js 6.3.1
Joyent Node.js 6.3
Joyent Node.js 6.2.2
Joyent Node.js 6.2.1
Joyent Node.js 6.2
Joyent Node.js 6.1
Joyent Node.js 6.0
Joyent Node.js 5.12
Joyent Node.js 5.11.1
Joyent Node.js 5.11
Joyent Node.js 5.10.1
Joyent Node.js 5.10
Joyent Node.js 5.9.1
Joyent Node.js 5.9
Joyent Node.js 5.8
Joyent Node.js 5.7.1
Joyent Node.js 5.7
Joyent Node.js 5.6
Joyent Node.js 5.5
Joyent Node.js 5.4.1
Joyent Node.js 5.4
Joyent Node.js 5.3
Joyent Node.js 5.2
Joyent Node.js 5.1.1
Joyent Node.js 5.1
Joyent Node.js 5.0
Joyent Node.js 4.8.3
Joyent Node.js 4.8.2
Joyent Node.js 4.8.1
Joyent Node.js 4.8
Joyent Node.js 4.7.3
Joyent Node.js 4.7.2
Joyent Node.js 4.7.1
Joyent Node.js 4.7
Joyent Node.js 4.6.2
Joyent Node.js 4.6.1
Joyent Node.js 4.6
Joyent Node.js 4.5
Joyent Node.js 4.4.7
Joyent Node.js 4.4.6
Joyent Node.js 4.4.5
Joyent Node.js 4.4.4
Joyent Node.js 4.4.3
Joyent Node.js 4.4.2
Joyent Node.js 4.4.1
Joyent Node.js 4.4
Joyent Node.js 4.3.2
Joyent Node.js 4.3.1
Joyent Node.js 4.3
Joyent Node.js 4.2.6
Joyent Node.js 4.2.5
Joyent Node.js 4.2.4
Joyent Node.js 4.2.3
Joyent Node.js 4.2.2
Joyent Node.js 4.2.1
Joyent Node.js 4.2
Joyent Node.js 4.1.2
Joyent Node.js 4.1.1
Joyent Node.js 4.1
Joyent Node.js 4.0
IBM SDK for Node.js 4.8.3
IBM SDK for Node.js 8.1.2.0
IBM SDK for Node.js 6.11.0.0

Not Vulnerable: IBM SDK for Node.js 4.8.4
IBM SDK for Node.js 8.1.4.0
IBM SDK for Node.js 6.11.1.0

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

Node.js Homepage (Joyent)
Security updates for all active release lines, July 2017 (Node.js)
swg22006298: Multiple vulnerabilities might affect IBM SDK for Node.js (IBM)

Source: www.securityfocus.com

Exploit Collector

Search Exploit