A security issue was recently disclosed for Node.js. This affects versions of node starting at the 4.x line, all the way through 8.x.

As it stands security updates were released a week ago and are currently available for all active release lines (including 7.x). We highly recommend you update your implementations to patch this issue (assuming you haven’t already).

The issue in question is a type of high severity hash flooding attack. You can read more about the technical points of such an attack here. The updated releases also include some general security patches.

To give a general elaboration on this, the underlying issue had to do with releases of Node.js using a constant HashTable seed. Although the releases were intended to have randomized seeds it would appear building with V8 snapshots by default overwrote those randomized seeds.

With the seed being constant, a malicious user could possibly perform a DoS attack exploiting this. Knowing the key in advance allows an individual to create intentional collisions, ultimately leading to a significant performance dip (in the best case). It’s important to note this kind of attack is nothing new, and is something be looked out for when handling untrusted user input that is destined for an entry in a hashtable.

As for staying up to date with future security issues (such as this) we recommend keeping up with the nodejs security mailing list. This is a fantastic way to catch wind of issues as soon as they’re announced. Staying on top of potential issues is a great way to keep your Parse Server running securely and safely.

Ben Friedman,