OS command injection vulnerability in Node.js - CVE-2022-32212ID: oval:org.secpod.oval:def:85368 | Date: (C)2022-11-08 (M)2024-05-22 |
Class: VULNERABILITY | Family: windows |
The host is installed with Node.js 14.0.0 before 14.20.0, 16.0.0 before 16.16.0, 18.0.0 before 18.5.0 and is an OS command injection vulnerability. A flaw is present in the application which fails to validate IP address. On successful exploitation, due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks and hence connect to the WebSocket debugger, allowing for arbitrary code execution.
Platform: |
Microsoft Windows Server 2008 |
Microsoft Windows Server 2008 R2 |
Microsoft Windows 8.1 |
Microsoft Windows Server 2012 R2 |
Microsoft Windows Server 2012 |
Microsoft Windows 7 |
Microsoft Windows 10 |
Microsoft Windows Server 2016 |
Microsoft Windows Server 2019 |
Microsoft Windows 11 |
Microsoft Windows Server 2022 |