A security vulnerability that potentially allows for local privilege escalation was recently announced (CVE-2015-0278). This affects node v0.10.36 and earlier.
It was found v0.10.36 and earlier that libuv did not call setgroups before calling setuid/setgid when spawning a child process. The child process might retain the privileges that were supposed to be dropped. This is fixed by also calling
setgroups which removes any extraneous groups and drop the user to the expected privileges.
This security issue affects node applications that create child processes, while using the
setgid option to limit the privileges that the child process has. Applications that do not use this feature are unaffected.
The newly released v0.10.37 has a fix to this above issue and can be downloaded from http://nodejs.org/dist/v0.10.37.
Please see the original bug report for more details and let me know if you have any further questions.
Subscribe to this thread in Google Groups to be notified of any security advisories related to Node.js and io.js from StrongLoop.