QwikSec

Security Database

CVE

CWE

Training

CVE-2021-22884

Published: Mar 3, 2021

Modified: Apr 30, 2025

PUBLISHED

Description

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Vendor	Product	Versions
NodeJS	Node	affected `4.0 - < 4.` affected `5.0 - < 5.` affected `6.0 - < 6.` affected `7.0 - < 7.` affected `8.0 - < 8.*` +7 more versions

Weaknesses (CWE)

References

https://hackerone.com/reports/1069487

x_refsource_MISC

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

x_refsource_MISC

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-inspector-dns-rebinding-vulnerability-cve-2018-7160

x_refsource_MISC

FEDORA-2021-a760169c3c

vendor-advisory

x_refsource_FEDORA

FEDORA-2021-f6bd75e9d4

vendor-advisory

x_refsource_FEDORA

FEDORA-2021-6aaba80ba2

vendor-advisory

x_refsource_FEDORA

https://www.oracle.com/security-alerts/cpuApr2021.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20210416-0001/

x_refsource_CONFIRM

https://www.oracle.com//security-alerts/cpujul2021.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuoct2021.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20210723-0001/

x_refsource_CONFIRM

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.