Whether V8: CVE-2024-4761, CVE-2024-4947 and/or CVE-2024-5274 has impact on the use of nodejs

[dellagustin-sap]

Hello,

In our recent scans we have detected the following CVEs from V8 though its dependency in node.js:
https://nvd.nist.gov/vuln/detail/CVE-2024-4761
https://nvd.nist.gov/vuln/detail/CVE-2024-4947
https://nvd.nist.gov/vuln/detail/CVE-2024-5274

We would like to know if:

1. These CVEs do affect node.js if unpatched,
2. If there are plans to port this fixes to the V8 versions in use for node 18 and 20, and/or
3. if you would be willing to accept patches for fixing these CVEs in V8 branches used by the node versions mentioned above.

Thank you in advance.

[RafaelGSS]

@nodejs/v8 could you help here?

[hashseed]

These vulnerabilities do affect Node.js if it uses the unpatched versions of V8.

However, these three vulnerabilities only affect execution of untrusted code. Executing untrusted code happens constantly in the browser, but would be very unusual in Node.js. In fact executing untrusted code in Node.js would be dangerous in the first place since it would e.g. have access to the file system through fs.

[RafaelGSS]

Thanks @hashseed.

The Node.js threat model trusts in the code being run. Therefore, most of the V8 vulnerabilities that affect only the execution of untrusted code don't fall in our threat model.

[dellagustin-sap]

Thank you @RafaelGSS and @hashseed .
My organization is still interested in having the fixes for this CVEs backported to the active node.js branches of V8 used in node 18 and 20.
Would such backports be welcome (assuming of course that they follow the established processes and quality criteria).

[RafaelGSS]

Yes, backport PRs are welcome. Although, v18 is in maintenance mode, which means we don't schedule releases for this particular version.

[dellagustin-sap]

Hi @RafaelGSS , on "we don't schedule releases", how do you usually decide when to have a new release for versions in maintenance mode? I just want to have an idea of what we can expect in case we contribute with a patch.

[RafaelGSS]

Hi @RafaelGSS , on "we don't schedule releases", how do you usually decide when to have a new release for versions in maintenance mode? I just want to have an idea of what we can expect in case we contribute with a patch.

Usually, only Security Releases go out on maintenance mode lines. Unless a releaser wants to do it anyway. Although we don't consider it as a vulnerability in the Node.js security policy. If you create a patch for that, I can cherry-pick and release it to Node.js 18.

[dellagustin-sap]

@RafaelGSS , ok, thanks for clarifying it.