Version 0.6.17 of Node.js closes a security hole in Node’s HTTP implementation that could suffer from an exploitation by a remote attacker to access private information.
This could occur via appending the contents of the HTTP parser’s buffer to spoof a request header to make it appear to come from the attacker; echoing back the contents of such a request is usually safe, but in this case, it could expose information about other requests.
All versions of the 0.5.x and 0.6.x branches up to and including 0.6.16 suffer from the issue; versions 0.7.0 to 0.7.7 of the 0.7.x unstable development branch are also vulnerable. Upgrading to 0.6.17 or 0.7.8 fixes the problem. Alternatively, those who cannot or choose not to upgrade can apply a fix. The developers note the 0.6.17 update also fixes some other important bugs such as a file descriptor leak in sync functions.
Further information about this update is at the announcement blog post and in the change log. Node.js 0.6.17 is available to download for Windows, Mac OS X or as source from the project’s web site; documentation is available. Source code for Node.js publishes under an MIT license.