HTTP Request Smuggling in node

Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Two copies of a header field are allowed in a HTTP request, which causes Node.js to identifiy the first header and ignore the second.

Remediation

Upgrade node to version 10.23.1, 12.20.1, 14.15.4, 15.5.1 or higher.

References

GitHub Commit
HTTP Request Smuggling Demystified - Snyk Blog
NodeJS Security Release Notes
progfay's PoC
RedHat Bugzilla Bug

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

None
Availability

None

Credit: Unknown
CVE: CVE-2020-8287
CWE: CWE-444
Snyk ID: SNYK-UPSTREAM-NODE-1055465
Disclosed: 05 Jan, 2021
Published: 05 Jan, 2021

HTTP Request Smuggling
Affecting node package, versions [,10.23.1) || [11.0.0, 12.20.1) || [13.0.0, 14.15.4) || [15.0.0, 15.5.1)

Overview

Remediation

References

CVSS Score

HTTP Request Smuggling Affecting node package, versions [,10.23.1) || [11.0.0, 12.20.1) || [13.0.0, 14.15.4) || [15.0.0, 15.5.1)

Overview

Remediation

References

HTTP Request Smuggling
Affecting node package, versions [,10.23.1) || [11.0.0, 12.20.1) || [13.0.0, 14.15.4) || [15.0.0, 15.5.1)