CVE-2021-22931 Overview
Node.js versions before 16.6.0, 14.17.4, and 12.22.4 contain a critical vulnerability in the DNS library due to missing input validation of hostnames returned by Domain Name Servers. This flaw enables Remote Code Execution (RCE), Cross-Site Scripting (XSS), and application crashes. Attackers can exploit this vulnerability to output incorrect hostnames, potentially leading to Domain Hijacking and injection vulnerabilities in applications utilizing the affected library.
Critical Impact
This vulnerability allows remote attackers to execute arbitrary code, inject malicious scripts, crash applications, or hijack domains without requiring authentication or user interaction. The network-accessible attack vector combined with low exploitation complexity makes this a severe threat to affected Node.js deployments.
Affected Products
- Node.js (versions before 16.6.0, 14.17.4, and 12.22.4)
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
- NetApp NextGen API
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
- NetApp SnapCenter
- Oracle GraalVM Enterprise Edition (20.3.3 and 21.2.0)
- Oracle MySQL Cluster
- Oracle PeopleSoft Enterprise PeopleTools (8.57, 8.58, 8.59)
- Siemens SINEC Infrastructure Network Services
Discovery Timeline
- August 16, 2021 - CVE-2021-22931 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-22931
Vulnerability Analysis
This vulnerability resides in Node.js's DNS library and stems from improper input validation (CWE-20) combined with improper null termination (CWE-170). When the DNS library processes hostname responses from DNS servers, it fails to properly validate and sanitize the returned data before passing it to dependent application components.
The lack of input validation creates multiple attack surfaces. An attacker controlling or manipulating DNS responses can inject malicious payloads that the Node.js application will process as legitimate hostnames. This can result in code execution when the tainted hostname is used in security-sensitive operations, XSS attacks when hostnames are rendered in web contexts, or application crashes due to unexpected input handling.
Root Cause
The root cause is the absence of proper input validation for DNS responses in the Node.js dns library. When DNS queries are performed, the library accepts hostname data from DNS servers without adequate sanitization checks. This violates the principle of never trusting external input, especially from network sources that can be manipulated through DNS spoofing, cache poisoning, or malicious authoritative servers.
The improper null termination handling (CWE-170) further exacerbates the issue, as string boundaries may be incorrectly interpreted, allowing attackers to inject additional data beyond expected hostname values.
Attack Vector
The attack leverages the network-accessible DNS resolution process. An attacker can exploit this vulnerability through several methods:
- DNS Spoofing/Cache Poisoning: Injecting malicious DNS responses containing crafted hostnames with embedded payloads
- Malicious DNS Server: Configuring a DNS server to return specially crafted hostname values when queried by the vulnerable Node.js application
- Man-in-the-Middle: Intercepting and modifying DNS responses in transit
When the Node.js application processes these malformed hostnames, the injected content can execute as code, render as XSS payloads in web contexts, or cause the application to crash due to improper handling of unexpected input. The vulnerability requires no privileges or user interaction to exploit, as it operates entirely through automated DNS resolution processes.
Detection Methods for CVE-2021-22931
Indicators of Compromise
- Unusual DNS responses containing non-standard characters, escape sequences, or embedded JavaScript in hostname fields
- Application logs showing unexpected hostname values with special characters or code fragments
- Web application errors or crashes coinciding with DNS resolution activities
- Evidence of XSS attacks originating from server-side hostname processing
- DNS query patterns indicating potential cache poisoning or spoofing attempts
Detection Strategies
- Monitor DNS traffic for anomalous hostname responses containing script tags, encoded characters, or excessively long values
- Implement application-level logging for all DNS resolution operations to capture and analyze returned hostnames
- Deploy network intrusion detection rules to identify malformed DNS responses
- Review web application firewalls for XSS patterns originating from internal DNS-related processing
- Audit Node.js application logs for crashes or exceptions in DNS-related code paths
Monitoring Recommendations
- Enable verbose logging for Node.js DNS library operations during the remediation period
- Configure SIEM rules to alert on hostname values containing potentially malicious patterns
- Monitor application performance metrics for unexpected crashes or resource consumption spikes
- Track DNS query and response pairs to identify discrepancies indicative of manipulation
- Implement continuous vulnerability scanning to identify unpatched Node.js instances
How to Mitigate CVE-2021-22931
Immediate Actions Required
- Upgrade Node.js immediately to version 16.6.0, 14.17.4, 12.22.4, or later depending on your release line
- Audit all applications using the Node.js dns library to assess exposure
- Implement DNS response validation at the application layer as a defense-in-depth measure
- Review network architecture for DNS security controls such as DNSSEC
- Coordinate with vendors of affected third-party products (NetApp, Oracle, Siemens) for their respective patches
Patch Information
Node.js has released security updates addressing this vulnerability. Organizations should upgrade to the following minimum versions:
- Node.js 16.x: Upgrade to 16.6.0 or later
- Node.js 14.x (LTS): Upgrade to 14.17.4 or later
- Node.js 12.x (LTS): Upgrade to 12.22.4 or later
For detailed patch information, refer to the Node.js August 2021 Security Releases. Additional vendor-specific patches are available from Oracle CPU October 2021, Oracle CPU January 2022, and Siemens Security Advisory SSA-389290.
Workarounds
- Implement application-level hostname validation before using DNS-resolved values in security-sensitive contexts
- Deploy web application firewalls with rules to block XSS patterns in responses derived from DNS operations
- Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to reduce the risk of DNS response manipulation
- Isolate Node.js applications with strict network segmentation to limit exposure to malicious DNS responses
- Consider implementing allowlists for expected hostname patterns where feasible
# Verify Node.js version and upgrade if vulnerable
node --version
# Update Node.js using nvm (Node Version Manager)
nvm install 16.6.0
nvm use 16.6.0
# Or update via package manager (Debian/Ubuntu)
sudo apt update
sudo apt install nodejs
# Verify the updated version
node --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
