Preface: When I read this CVE details. I found a gap between official “node JS” site announcements and security forums, including popular sites that post CVEs on a daily basis. In fact, if an attacker wants to trigger this vulnerability, it should meet the following requirements. That’s why I discuss this topic.
Vulnerability details: When the environment in below circumstance it may trigger the vulnerability.
The Node[.]js rebinding protector for –inspect still allows invalid IP address, specifically, the octal format. An example of an octal IP address is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8 number system. Browsers such as Firefox (tested on latest version m105) will still attempt to resolve this invalid octal address via DNS. When combined with an active –inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code.
Impacts: All versions of the 18.x, 16.x, and 14.x releases lines.
Official announcement: Please refer to the link for details – https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/