CVE-2022-32212
HIGHNode.js <14.20.0, <16.20.0, <18.5.0 - OS Command Injection via IsAllowedHost Bypass
Title source: llmDescription
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
References (1)
Core 1
Core References
Third Party Advisory
https://hackerone.com/reports/1632921
Scores
CVSS v3
8.1
EPSS
0.0006
EPSS Percentile
19.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
CWE-78
Status
published
Products (9)
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/fedora
35
fedoraproject/fedora
36
fedoraproject/fedora
37
nodejs/node.js
14.0.0 - 14.14.0
nodejs/node.js
14.15.0 - 14.20.1
siemens/sinec_ins
1.0 (2 CPE variants)
siemens/sinec_ins
< 1.0
Published
Jul 14, 2022
Tracked Since
Feb 18, 2026