The Node.js maintainers have fixed a security issue in zlib compression that could be exploited by attackers to remotely crash the runtime.
The vulnerability is tracked as CVE-2017-14919 and is caused by a change in the zlib v1.2.9 library that changed the behavior of the windowBits parameter. More specifically, the library previously allowed values between 8 and 15 for this parameter, but now requires the minimum value to be 9.
Zlib is a compression library that implements the gzip and deflate/inflate algorithms. It’s used to compress data streams and HTTP requests and responses, saving bandwidth. The windowBits parameter is used to define how much of a message the library will store in memory while the message is being compressed.
A larger window can result in better compression because the algorithm has more opportunities to find repeated bits of text. However, it also results in higher memory usage for the process.
Node.js’ zlib module allows clients to control the windowBits and some are configured to use the minimum value, which used to be 8 and is no longer supported. When encountering such requests, Node.js versions with zlib 1.2.9 will crash or throw an exception, resulting in a denial-of-service condition.
“This problem (Node.js crashing or throwing an exception) could be remotely exploited using some of the existing WebSocket clients that may request a value of 8 for windowBits in certain cases or with a custom built WebSocket client,” the Node.js developers said in an advisory. “There may also exist other vectors through which a zLib operation would be initiated by a remote request with a window size that results in a value of windowBits of 8.”
For some versions the Node.js runtime cannot recover from the crash by itself, so the impact is pretty serious.
Users are advised to upgrade to Node v8.8.0, v6.11.15 (LTS “Boron”) or v4.8.5 (LTS “Argon”). These versions automatically modify any requests for a windowBits size of 8 to use a size of 9 instead.
The latest releases also include many other bug fixes. The notable changes for the “current” 8.8.0 branch include: exposing the Elliptic-curve Diffie-Hellman (ECDH) class for cryptographic key agreement, exposing http2 by default without the need for a flag, adding a new environment variable called NODE_NO_HTTP2 and adding resolve and instantiate loader pipeline hooks to the ESM lifecycle.