CVE-2021-22884 vulnerability in nodejs and Other Products
Published on March 3, 2021
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes localhost6. When localhost6 is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the localhost6 domain. As long as the attacker uses the localhost6 domain, they can still apply the attack described in CVE-2018-7160.
Weakness Type
Reliance on Reverse DNS Resolution for a Security-Critical Action
The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
Products Associated with CVE-2021-22884
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-22884 are published in these products:
Affected Versions
NodeJS Node:- Version 4.0 and below 4.* is affected.
- Version 5.0 and below 5.* is affected.
- Version 6.0 and below 6.* is affected.
- Version 7.0 and below 7.* is affected.
- Version 8.0 and below 8.* is affected.
- Version 9.0 and below 9.* is affected.
- Version 10.0 and below 10.24.0 is affected.
- Version 11.0 and below 11.* is affected.
- Version 12.0 and below 12.21.0 is affected.
- Version 13.0 and below 13.* is affected.
- Version 14.0 and below 14.16.0 is affected.
- Version 15.0 and below 15.10.0 is affected.
Exploit Probability
EPSS
0.50%
Percentile
65.66%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.