Recently a security vulnerability, dubbed “FREAK Attack” was reported that affects certain versions of OpenSSL, the popular open source encryption library which is used in many server products such as Apache.
Specifically, the ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.
Fortunately, both Node.js v0.10.36, v0.12 and io.js are not affected by the reported vulnerability. They use a version of OpenSSL that is more recent and in which the affected vulnerability has already been fixed.
In older versions of Node.js (0.10.35 and older, including all versions of v0.8.x) the TLS client uses default OpenSSL cipher suites, which makes them vulnerable. To the users of those Node versions, our recommendation is to upgrade to v0.10.36. as soon as possible.
For details about the vulnerability reported visit:
Running Node or io.js in production?