PT-2022-7565 · Node.Js+9 · Node.Js+9

Zeyu Zhang

+1

·

Published

2022-07-07

·

Updated

2026-05-18

·

CVE-2022-32212

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Node.js versions prior to 14.20.0 Node.js versions prior to 16.20.0 Node.js versions prior to 18.5.0
Description A OS Command Injection vulnerability exists in Node.js due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests, allowing rebinding attacks. The vulnerability is related to the IsIPAddress function, which lacks input validation measures. This allows a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.
Recommendations For versions prior to 14.20.0, update to version 14.20.0 or later. For versions prior to 16.20.0, update to version 16.20.0 or later. For versions prior to 18.5.0, update to version 18.5.0 or later.

Fix

Improper Access Control

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-78

Related Identifiers

ALSA-2022:6448
ALSA-2022:6595
ALT-PU-2022-2701
ALT-PU-2022-3073
ALT-PU-2022-3235
ALT-PU-2023-1461
AZL-10149
BDU:2024-07321
BIT-NODE-2022-32212
BIT-NODE-MIN-2022-32212
CESA-2022_6448
CESA-2022_6449
CLEANSTART-2026-BD71263
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LJ44720
CLEANSTART-2026-LN12820
CLEANSTART-2026-TX00223
CLEANSTART-2026-WI75198
CVE-2022-32212
DLA-3137-1
DSA-5326-1
MGASA-2022-0294
MGASA-2022-0354
OESA-2023-1551
OPENSUSE-SU-2022_2425-1
OPENSUSE-SU-2022_2430-1
OPENSUSE-SU-2022_2491-1
OPENSUSE-SU-2022_2551-1
OPENSUSE-SU-2022_2855-1
OPENSUSE-SU-2023_0419-1
OPENSUSE-SU-2024:12199-1
OPENSUSE-SU-2024:12349-1
RHSA-2022:6389
RHSA-2022:6448
RHSA-2022:6449
RHSA-2022:6595
RHSA-2022:6985
RHSA-2022_6448
RHSA-2022_6449
RHSA-2022_6595
RLSA-2022:6448
RLSA-2022:6449
RLSA-2022:6595
SUSE-SU-2022:2415-1
SUSE-SU-2022:2416-1
SUSE-SU-2022:2417-1
SUSE-SU-2022:2425-1
SUSE-SU-2022:2430-1
SUSE-SU-2022:2491-1
SUSE-SU-2022:2551-1
SUSE-SU-2022:2855-1
SUSE-SU-2022_2415-1
SUSE-SU-2022_2416-1
SUSE-SU-2022_2425-1
SUSE-SU-2022_2430-1
SUSE-SU-2022_2491-1
SUSE-SU-2022_2551-1
SUSE-SU-2023:0408-1
SUSE-SU-2023:0419-1
SUSE-SU-2023_0408-1
SUSE-SU-2023_0419-1
USN-6491-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Node.Js
Red Hat
Rocky Linux
Suse
Ubuntu