CVE-2019-15604: 
npm vulnerability analysis and mitigation

CVE-2019-15604 is a security vulnerability affecting Node.js versions 10, 12, and 13 that was discovered in 2019 and patched in February 2020. The vulnerability allows remote attackers to trigger an assertion on a TLS server by sending a crafted X.509 certificate string (Node.js Blog, NVD).

The vulnerability is classified as an Improper Certificate Validation issue with a CVSS v3.1 base score of 7.5 (High). It affects the TLS server implementation in Node.js and can be triggered remotely without requiring authentication. The vulnerability exists in the code that reads peer certificates during TLS client authentication (Red Hat Advisory).

When successfully exploited, this vulnerability causes the Node.js process to abort when processing a malformed certificate string during TLS client authentication. This results in a Denial of Service (DoS) condition, affecting the availability of the TLS server (NVD).

The vulnerability was fixed in Node.js versions 10.19.0, 12.15.0, and 13.8.0. Users should upgrade to these or later versions to mitigate the issue. The fixes include changes to the TLS server implementation to properly handle malformed certificate strings (Node.js Blog).

Multiple vendors and distributions responded by releasing security advisories and patches, including Red Hat, Debian, Oracle, and others. The vulnerability was rated as Important/High severity by most vendors due to its potential impact on service availability (Red Hat Advisory, Debian Advisory).