## https://sploitus.com/exploit?id=44209D78-94AF-5445-A3E3-58CF4A96497B
# Node.js-specific security flaws
## Constant Hashtable Seeds (CVE-2017-11499)
Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup. Thanks to Jann Horn of Google Project Zero for reporting this vulnerability.
You can read about the general category of hash flooding vulnerabilities [here](https://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf).
Snapshots have been disabled by default in these updates. Code that relies heavily on `vm.runInNewContext` will most likely see a performance regression until a better solution is implemented.
This is a high severity vulnerability and applies to all active release lines (4.x, 6.x, 8.x) as well as the 7.x line.
## http.get with numeric authorization options creates uninitialized buffers
Application code that allows the `auth` field of the options object used with `http.get()` to be set to a number can result in an uninitialized buffer being created/used as the authentication string. For example:
```javascript
const opts = require('url').parse('http://127.0.0.1:8180');
opts.auth = 1e3; // A number here triggers the bug
require('http').get(opts, res => res.pipe(process.stdout));
```
Parsing of the `auth` field has been updated in the 4.x release so that a `TypeError` will be thrown if the `auth` field is a number when `http.get()` is called.
This is a low severity defect and only applies to the 4.x release line.