QwikSec

Security Database

CVE

CWE

Training

CVE-2022-43548

Published: Dec 5, 2022

Modified: Apr 30, 2025

PUBLISHED

Description

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

Vendor	Product	Versions
NodeJS	Node	affected `4.0 - < 4.` affected `5.0 - < 5.` affected `6.0 - < 6.` affected `7.0 - < 7.` affected `8.0 - < 8.*` +11 more versions

Weaknesses (CWE)

References

https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/

https://security.netapp.com/advisory/ntap-20230120-0004/

vendor-advisory

[debian-lts-announce] 20230226 [SECURITY] [DLA 3344-1] nodejs security update

mailing-list

https://security.netapp.com/advisory/ntap-20230427-0007/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.