8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-7160

GHSA ID

GHSA-wq4c-wm6x-jw44

EPSS Score

0.77719%

CWE

CWE-290

Published

5/13/2022

Updated

10/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-7160

CVE-2018-7160:
Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding

Withdrawn Advisory

This advisory has been withdrawn because this vulnerability affects inspector code in https://github.com/nodejs/node, not the legacy debugger at https://github.com/node-inspector/node-inspector. https://github.com/nodejs/node is not in a supported ecosystem.

Original Description

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-7160

GHSA ID

GHSA-wq4c-wm6x-jw44

EPSS Score

0.77719%

CWE

CWE-290

Published

5/13/2022

Updated

10/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
node-inspector	npm	>= 6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inadequate Host header validation in the inspector's WebSocket handshake process. The core issue was in message_complete_cb which didn't perform proper Host validation before the fix added IsAllowedHost checks. The header_value_cb's original implementation only looked for specific headers without maintaining full header context, making the Host validation incomplete. The commit e3950d1 added Host validation and proper header handling, indicating these were the missing security checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* t*is vuln*r**ility *****ts insp**tor *o** in *ttps://*it*u*.*om/no**js/no**, not t** [l****y ***u***r](*ttps://no**js.or*/*n/*o*s/insp**tor#l****y-***u***r) *t *ttps://*it*u*.*om/no**-ins

Reasoning

T** vuln*r**ility st*ms *rom in***qu*t* *ost *****r v*li**tion in t** insp**tor's W**So*k*t **n*s**k* pro**ss. T** *or* issu* w*s in m*ss***_*ompl*t*_** w*i** *i*n't p*r*orm prop*r *ost v*li**tion ***or* t** *ix ***** Is*llow***ost ****ks. T** *****r

8.8

Basic Information

Concerned about an active attack path?

CVE-2018-7160: Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding

Withdrawn Advisory

Original Description

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-7160:
Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding

Vulnerability Intelligence
Miggo AI