CVE-2022-43548

Name of the Vulnerable Software and Affected Versions Node.js versions prior to 14.21.1 Node.js versions prior to 16.18.1 Node.js versions prior to 18.12.1 Node.js versions prior to 19.0.1

Description A OS Command Injection vulnerability exists in Node.js due to an insufficient IsAllowedHost check that can easily be bypassed, allowing rebinding attacks. The issue is related to the --inspect parameter and errors in converting octal IP addresses. This can allow a remote attacker to execute arbitrary code. The estimated number of potentially affected devices worldwide is not available.

Recommendations For versions prior to 14.21.1, update to version 14.21.1 or later. For versions prior to 16.18.1, update to version 16.18.1 or later. For versions prior to 18.12.1, update to version 18.12.1 or later. For versions prior to 19.0.1, update to version 19.0.1 or later. As a temporary workaround, consider disabling the --inspect parameter until a patch is available. Restrict access to the --inspect feature to minimize the risk of exploitation. Avoid using invalid octal IP addresses in the --inspect parameter until the issue is resolved.