CVE-2021-22931: Input Validation

Published Aug 11, 2021
·
Updated

A flaw was found in Node.js. These vulnerabilities include remote code execution, Cross-site scripting (XSS), application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library, which can lead to the output of wrong hostnames (leading to Domain hijacking) and injection vulnerabilities in applications using the library.

Other sources

Node.js before 16.6.0 14.17.4 and 12.22.4 is vulnerable to Remote Code Execution XSS Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Microsoft

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Node.js could provide weaker than expected security, caused by missing input validation on hostnames returned by DNS servers. An attacker could exploit this vulnerability to cause output of wrong hostnames leading to Domain Hijacking and and injection vulnerabilities in applications using the library.

IBM

Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

References: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

Red Hat

Affected Software

28 affected componentsFixes available
redhat/rh-nodejs14-nodejs<0:14.17.5-1.el7
0:14.17.5-1.el7
redhat/rh-nodejs12-nodejs<0:12.22.5-1.el7
0:12.22.5-1.el7
redhat/rh-nodejs12-nodejs-nodemon<0:2.0.3-5.el7
0:2.0.3-5.el7
redhat/nodejs<12.22.5
12.22.5
redhat/nodejs<14.17.5
14.17.5
redhat/nodejs<16.6.2
16.6.2
IBM Cognos Controller<=11.0.0 - 11.0.1
Nodejs Node.js>=12.0.0<=12.12.0
Nodejs Node.js>=12.13.0<12.22.5
Nodejs Node.js>=14.0.0<=14.14.0
Nodejs Node.js>=14.15.0<14.17.5
Nodejs Node.js>=16.0.0<16.6.2
NetApp Active Iq Unified Manager Vmware Vsphere
NetApp Active Iq Unified Manager Windows
NetApp Nextgen Api
NetApp OnCommand Insight
NetApp OnCommand Workflow Automation
NetApp Snapcenter
Oracle GraalVM=20.3.3
Oracle GraalVM=21.2.0
Oracle MySQL Cluster<=8.0.26
Oracle PeopleSoft Enterprise PeopleTools=8.57
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
Siemens Sinec Infrastructure Network Services<1.0.1.1
Microsoft cbl2 python-gevent 21.1.2-3
Patch available
Microsoft cbl2 nodejs 16.14.0-1
Patch available
Microsoft cm1 nodejs 14.17.5-1
Patch available

Remediation

Patch Available

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch Available

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

Patch Available

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Event History

Aug 11, 2021
CVE Published
12:00 AM
Aug 16, 2021
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
Aug 25, 2021
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-22931?

CVE-2021-22931 is a vulnerability found in Node.js that can result in remote code execution, Cross-site scripting (XSS), and application crashes.

2

What is the severity of CVE-2021-22931?

CVE-2021-22931 has a severity rating of medium.

3

How does CVE-2021-22931 affect Node.js?

CVE-2021-22931 affects Node.js by causing missing input validation on hostnames returned by Domain Name Servers in the Node.js DNS library.

4

Which versions of Node.js are affected by CVE-2021-22931?

Node.js versions 12.22.5, 14.17.5, and 16.6.2 are affected by CVE-2021-22931.

5

How can I fix CVE-2021-22931?

To fix CVE-2021-22931, update Node.js to version 12.22.5, 14.17.5, or 16.6.2.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203