|Description||The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|buster, buster (security)||10.24.0~dfsg-1~deb10u1||fixed|
|bullseye (security), bullseye||12.22.5~dfsg-2~11u1||fixed|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
[stretch] - nodejs <not-affected> (Vulnerable code not present)
[jessie] - nodejs <not-affected> (Vulnerable code not present)
[wheezy] - nodejs <not-affected> (Vulnerable code not present)