Insufficient Header Validation

Affecting node package, versions [12.0.0,12.15.0) || [13.0.0,13.8.0) || [10.0.0,10.19.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Insufficient Header Validation. HTTP header values can contain trailing OWS, but it should be stripped. It is not semantically part of the header's value, and if treated as part of the value, it can cause spurious inequality between expected and actual header values.

Remediation

Upgrade node to version 12.15.0, 13.8.0, 10.19.0 or higher.

References

CVSS Score

3.7
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:R
Credit
Unknown
CVE
CVE-2019-15606
CWE
CWE-20
Snyk ID
SNYK-UPSTREAM-NODE-546813
Disclosed
06 Feb, 2020
Published
06 Feb, 2020