CVE-2021-22884 Overview
CVE-2021-22884 is a DNS rebinding vulnerability affecting Node.js versions before 10.24.0, 12.21.0, 14.16.0, and 15.10.0. The vulnerability exists because the Node.js Inspector whitelist includes "localhost6" as an allowed hostname. When localhost6 is not defined in the system's /etc/hosts file, it becomes an ordinary domain that resolves via DNS over the network rather than locally. This allows attackers who control the victim's DNS server or can spoof DNS responses to bypass DNS rebinding protections and execute the attack previously described in CVE-2018-7160.
Critical Impact
Attackers can bypass Node.js Inspector DNS rebinding protections to gain unauthorized access to the debugging interface, potentially leading to remote code execution on affected systems.
Affected Products
- Node.js versions before 10.24.0, 12.21.0, 14.16.0, and 15.10.0
- Fedora 32, 33, and 34
- NetApp Active IQ Unified Manager, E-Series Performance Analyzer, OnCommand Insight, OnCommand Workflow Automation, and SnapCenter
- Oracle GraalVM Enterprise Edition (19.3.5, 20.3.1.2, 21.0.0.2)
- Oracle JD Edwards EnterpriseOne Tools, MySQL Cluster, NoSQL Database
- Oracle PeopleSoft Enterprise PeopleTools (8.58, 8.59)
- Siemens SINEC Infrastructure Network Services
Discovery Timeline
- 2021-03-03 - CVE-2021-22884 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22884
Vulnerability Analysis
This DNS rebinding vulnerability targets the Node.js Inspector debugging interface. The Inspector provides a powerful debugging API that, if accessed by unauthorized parties, can lead to arbitrary code execution. Node.js implements DNS rebinding protection by maintaining a whitelist of allowed hostnames that can access the Inspector interface.
The flaw stems from the inclusion of localhost6 in this whitelist. On systems where localhost6 is properly defined in /etc/hosts (typically mapping to ::1), this poses no security risk as DNS queries for localhost6 resolve locally. However, on many systems—particularly those not configured for IPv6 or those with minimal /etc/hosts configurations—localhost6 is not defined locally.
When localhost6 is absent from /etc/hosts, the system performs a standard DNS lookup over the network to resolve the hostname. This network-based resolution creates an attack vector: an adversary who can influence DNS responses (either by controlling the victim's DNS server or through DNS spoofing) can make localhost6 resolve to an arbitrary IP address.
Root Cause
The root cause is an overly permissive hostname whitelist in the Node.js Inspector's DNS rebinding protection mechanism. The assumption that localhost6 would always resolve locally is incorrect across diverse system configurations. This represents a reliance on reverse DNS resolution for security decisions (CWE-350), where the software trusts hostname-to-IP mappings without verifying they originate from a trusted source.
Attack Vector
The attack requires network access and involves the following steps:
- The attacker identifies a target running Node.js with the Inspector interface enabled
- The attacker either controls the victim's DNS server or positions themselves to perform DNS spoofing
- The attacker configures DNS to resolve localhost6 to an IP address they control
- The victim's browser or application makes a request to localhost6, which bypasses the DNS rebinding protection
- The attacker's malicious response can then interact with the Node.js Inspector interface
- Through the Inspector protocol, the attacker can execute arbitrary JavaScript code in the Node.js process context
This attack is a variant of CVE-2018-7160 but leverages the trusted localhost6 domain to bypass the protections that were implemented to address the original vulnerability. The attack requires user interaction and high attack complexity due to the DNS control requirements.
Detection Methods for CVE-2021-22884
Indicators of Compromise
- DNS queries for localhost6 from systems where it is not defined in /etc/hosts
- Unexpected connections to the Node.js Inspector port (default 9229) from external IP addresses
- DNS responses for localhost6 pointing to non-local IP addresses
- WebSocket connections to the Inspector endpoint from untrusted origins
Detection Strategies
- Monitor DNS query logs for localhost6 resolution requests from Node.js application servers
- Implement network monitoring rules to detect Inspector protocol traffic originating from external networks
- Review /etc/hosts files on systems running Node.js to verify localhost6 mappings exist
- Deploy DNS security solutions capable of detecting DNS rebinding attempts
Monitoring Recommendations
- Enable logging on Node.js Inspector interfaces when used in development environments
- Implement network segmentation to restrict Inspector access to authorized networks only
- Deploy DNS monitoring to identify suspicious resolution patterns for localhost variants
- Use SIEM correlation rules to detect potential DNS rebinding attack patterns
How to Mitigate CVE-2021-22884
Immediate Actions Required
- Upgrade Node.js to patched versions: 10.24.0, 12.21.0, 14.16.0, or 15.10.0 and later
- Add localhost6 to /etc/hosts with proper local IPv6 address mapping as a temporary mitigation
- Disable Node.js Inspector in production environments unless explicitly required
- Implement network-level controls to restrict access to Inspector ports
Patch Information
Node.js released security patches in February 2021 addressing this vulnerability. The Node.js February 2021 Security Releases announcement provides detailed information about the fix. Additional vendor patches are available from Oracle April 2021 Security Alerts, Oracle July 2021 Security Alerts, and Oracle October 2021 Security Alerts for affected Oracle products. Siemens has published Security Advisory SSA-389290 for SINEC Infrastructure Network Services.
Workarounds
- Add the following entry to /etc/hosts: ::1 localhost6 to ensure local resolution
- Use firewall rules to block external access to Node.js Inspector ports (typically 9229)
- Run Node.js without the --inspect flag in production environments
- Implement DNS security measures to prevent DNS spoofing attacks on your network
# Add localhost6 to /etc/hosts as a workaround
echo "::1 localhost6" | sudo tee -a /etc/hosts
# Block external access to Inspector port
sudo iptables -A INPUT -p tcp --dport 9229 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9229 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
