CVE-2017-15896
CRITICALNode.js 4.0.0-4.1.1 and 4.2.0-4.8.6 - TLS Authentication Bypass via OpenSSL CVE-2017-3737
Title source: llmDescription
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
Scores
CVSS v3
9.1
EPSS
0.0016
EPSS Percentile
36.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
Status
published
Products (6)
nodejs/node.js
4.0.0 - 4.1.2
nodejs/node.js
4.2.0 - 4.8.7
The Node.js Project/Node.js
4.0.0 and higher
The Node.js Project/Node.js
6.0.0 and higher
The Node.js Project/Node.js
8.0.0 and higher
The Node.js Project/Node.js
9.0.0 and higher
Published
Dec 11, 2017
Tracked Since
Feb 18, 2026