14 DAY TRIAL // There's an HTTP Denial of Service (DoS) vulnerability in Node.js and io.js, which the team plans to fix on Monday, October 5.
The announcement was made on Node's Security Google Group by Rod Vagg, developer at NodeSource and one of Node's main overseers.
According to Rod's security disclosure, the bug only affects recent versions of Node.js and io.js. More specifically, these are Node.js 4.0.0, 4.1.0, and 4.1.1, along with all io.js 3.x versions.
Other iterations like Node 0.10.x, 0.12.x, and io.js 1.x and 3.x are not affected, but users are encouraged to update regardless.
Since the vulnerability is not patched, details have been embargoed and will be published on Monday, October 5, when the team plans to release new versions of Node and io.js.
The vulnerability was assigned the CVE-2015-7384 number and received a CVSS severity score of 5.9.
Node.js is an open-source platform which allows developers to run JavaScript code on the server side. The easiest way to describe Node is as a Web server for JavaScript, even if it's a lot more than that.
io.js is a fork of Node.js 0.12.x, which was developed between January 2014 and September 2014, and eventually merged back into Node.js, becoming Node.js version 4.0.0.
All io.js versions are officially unsupported, and users are urged to migrate back to Node.js as soon as possible.
Hey, @nodejs folk, a critical DoS vulnerability will receive a fix on Monday, see https://t.co/Ks5zElbbfu & subscribe to nodejs-sec
— Rod Vagg.js (@rvagg) October 1, 2015