Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Oct 9, 2023
Withdrawn
This advisory was withdrawn on Oct 9, 2023
Description
Published by the National Vulnerability Database
May 17, 2018
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Jul 20, 2023
Withdrawn
Oct 9, 2023
Last updated
Oct 9, 2023
Withdrawn Advisory
This advisory has been withdrawn because this vulnerability affects inspector code in https://github.com/nodejs/node, not the legacy debugger at https://github.com/node-inspector/node-inspector. https://github.com/nodejs/node is not in a supported ecosystem.
Original Description
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
References