CVE-2022-32212
📋 TL;DR
This CVE describes an OS command injection vulnerability in Node.js that allows attackers to bypass host validation checks and perform DNS rebinding attacks. It affects Node.js applications that make HTTP requests to user-controlled URLs, potentially leading to remote code execution. All Node.js applications using vulnerable versions are affected.
💻 Affected Systems
- Node.js
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Sinec Ins by Siemens
Sinec Ins by Siemens
Sinec Ins by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Server-side request forgery (SSRF) allowing internal network reconnaissance and potential data exposure from internal services.
If Mitigated
Limited impact with proper network segmentation and egress filtering, potentially only causing denial of service.
🎯 Exploit Status
Exploitation requires the application to make HTTP requests to attacker-controlled URLs. The vulnerability is well-documented in public reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.20.0, 16.20.0, 18.5.0 or later
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
Restart Required: Yes
Instructions:
1. Identify Node.js version with 'node --version'. 2. Upgrade to patched version: 14.20.0+, 16.20.0+, or 18.5.0+. 3. Restart all Node.js applications and services. 4. Test application functionality after upgrade.
🔧 Temporary Workarounds
Implement URL validation
allAdd strict validation for all user-supplied URLs before making HTTP requests
Use allowlist for external domains
allRestrict HTTP requests to predefined allowlisted domains only
🧯 If You Can't Patch
- Implement strict egress filtering to block outbound requests to internal IP ranges
- Deploy web application firewall (WAF) rules to detect and block DNS rebinding attempts
🔍 How to Verify
Check if Vulnerable:
Check Node.js version with 'node --version' and compare against affected rangesCheck Version:
node --versionVerify Fix Applied:
Verify version is 14.20.0+, 16.20.0+, or 18.5.0+ and test application HTTP request functionality📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Node.js processes
- Requests to internal IP addresses from external sources
- Multiple failed DNS resolution attempts
Network Indicators:
- HTTP requests to internal IP ranges from Node.js servers
- DNS queries for unusual or malicious domains
- Traffic patterns suggesting DNS rebinding
SIEM Query:
source="nodejs" AND (dest_ip IN private_ranges OR dest_host CONTAINS suspicious_domains)