CVE-2018-7160
HIGHNode.js 6.0.0-6.8.0 and 6.9.0-6.13.1 - Remote Code Execution via DNS Rebinding Attack
Title source: llmDescription
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
Vendor Advisory x_refsource_confirm
https://support.f5.com/csp/article/K63025104?utm_source=f5support&%3Butm_medium=RSS
Scores
CVSS v3
8.8
EPSS
0.0150
EPSS Percentile
81.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-290
CWE-350
Status
published
Products (3)
nodejs/node.js
6.0.0 - 6.8.1
nodejs/node.js
6.9.0 - 6.14.0
npm/node-inspector
6.0npm
Published
May 17, 2018
Tracked Since
Feb 18, 2026