CVE-2022-32212

Published: 7/14/2022 Last updated: 4/30/2025 Reserved: 6/1/2022

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

CNA assigner: hackerone (36234546-b8fa-4601-9d6f-f4e334aa8ea1) Requested by: n/a

Opam packages affected (1)

conf-npm

Products affected (1)

Product	Vendor	Version
Node	NodeJS	< 8278a87bb1eeea94350d675ef961ee5a03341fde

References (2)

https://hackerone.com/reports/1632921
https://hackerone.com/reports/1632921