Miggo Logo

CVE-2018-7160: Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.77719%
Published
5/13/2022
Updated
10/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-inspectornpm>= 6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from inadequate Host header validation in the inspector's WebSocket handshake process. The core issue was in message_complete_cb which didn't perform proper Host validation before the fix added IsAllowedHost checks. The header_value_cb's original implementation only looked for specific headers without maintaining full header context, making the Host validation incomplete. The commit e3950d1 added Host validation and proper header handling, indicating these were the missing security checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* t*is vuln*r**ility *****ts insp**tor *o** in *ttps://*it*u*.*om/no**js/no**, not t** [l****y ***u***r](*ttps://no**js.or*/*n/*o*s/insp**tor#l****y-***u***r) *t *ttps://*it*u*.*om/no**-ins

Reasoning

T** vuln*r**ility st*ms *rom in***qu*t* *ost *****r v*li**tion in t** insp**tor's W**So*k*t **n*s**k* pro**ss. T** *or* issu* w*s in m*ss***_*ompl*t*_** w*i** *i*n't p*r*orm prop*r *ost v*li**tion ***or* t** *ix ***** Is*llow***ost ****ks. T** *****r