Oh Node!

JavaScript security issues loom over Node.js

Lucy Carey

Developers on urged to be aware of potential issues from client-side cousin.


First up, if you’re using the hugely popular Node.js, don’t panic, we’re not here to deliver a bleak prophecy of Java-applet scale plagues. In fact, Node.js itself is pretty watertight. Its JavaScript core however is another story. Prompted by a few recent issues, security experts have advised Node.js users to follow JavaScripters and up their defenses.

A critical tool at places like PayPal and Wal-Mart, the  speedy, scalable server-side JavaScript platform also plays a role in helping to ensure the security of financial transactions and various other kinds of enterprise client data. Although immensely helpful, the innate characteristics of the Node.js platform and server side JavaScript also make them particularly vulnerable to attack.

According to Adam Baldwin, chief security officer at security consulting firm Lift Security, whilst key issues are rooted in Node’s JavaScript core, “the execution context of V8, the JavaScript engine Node uses, is entirely different than a browser because it executes on the server. That difference adds some unique surface area [for attacks].”

Mark Stuart, a senior UI engineer at PayPal, chimes in that  developers should ensure they are using reliable security defaults and scanning modules, warning that,  ”Node is still JavaScript, so eval and all the terrible things on the client side still exist on the server side.”

Baldwin is an expert in all things relating to Node security, heading up Node Security Project around his daily role. The key goal of this initiative is to eventually audit every single module in npm. In addition to this impressive target, the project wants to provide advisories, issues and pull requests so modules get fixed, as well as  a public API and DB of audit results.

Although still in its infancy, overall, the project appears to be a welcome addition to the youthful Node-iverse. Ultimately, Baldwin and his team hope that the project will not only help improve the security of the Node landscape on a technical level, but also bolster confidence among developers and enterprises about the state of security in Node.js.

Inline Feedbacks
View all comments