OSTIF is proud to share the results of our security audit of Node.js. Node.js is an open source project that is designed to build scalable network applications through asynchronous event-driven JavaScript runtime. With the help of Ada Logics and the OpenJS Foundation, this project will experience deeper fuzzing as it provides companies and individuals with easily scalable systems.
Audit Process:
This audit was designed to improve Node.js’s fuzzing ecosystem as well as to enhance project documentation via a threat modeling exercise. Ada Logics has extensive auditing experience and fuzzing knowledge, and their work was revealing and informative for project maintainers. In addition to the following highlights, Ada Logics also fixed an OSS-Fuzz build that had been broken for months which impacted both fuzzing and code coverage.
Audit Results:
- An extended OSS-Fuzz set up with 48 new fuzzers.
- Three new ClusterFuzzLite integrations to core Node.js dependencies.
- 4 findings with security impact found by the fuzzers.
This audit work had immediate impact for the maintainers and the project- shortly after the audit, code coverage of src folder increased by at least 18.1% with 1400 more functions analyzed, and coverage is expected to keep growing. Moving forward Node.js can experience fuller, more expansive coverage and bug reporting from improved fuzzing, which allows their maintainers to not only respond to and fix vulnerabilities found by their new fuzzing suite but to have a deeper understanding of the project and its security needs.
Thank you to the individuals and groups who made this engagement possible:
- Node.js maintainers, community members, and users- especially Michael Dawson and Matteo Collina
- Ada Logics- Adam Korczynski and David Korczynski
- The OpenJS Foundation- Ben Sternthal and Robin Ginn
You can read the Audit Report HERE
You can read OpenJS Foundation’s Blog HERE
Everyone around the world depends on open source. If you’re interested in financially supporting this work, contact [email protected].