CVE-2018-7160

Name of the Vulnerable Software and Affected Versions Node.js versions 6.x and later

Description The issue allows for a DNS rebinding attack, potentially leading to remote code execution. This can be exploited by malicious websites open in a web browser on the same computer or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to bypass same-origin-policy checks, allowing HTTP connections to localhost or hosts on the local network. If a Node.js process with the debug port active is running, the malicious website could connect to it as a debugger and gain full code execution access.

Recommendations For Node.js versions 6.x and later, consider disabling the debug port to prevent exploitation until a fix is available. Restrict access to the Node.js inspector to minimize the risk of exploitation. Avoid opening malicious websites while running a Node.js process with the debug port active. At the moment, there is no information about a newer version that contains a fix for this vulnerability.