HTTP request splitting in node

Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP request splitting. If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

Remediation

Upgrade node to version 6.15.0, 8.14.0 or higher.

References

Nodejs Security Advisory

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

None

Credit: Arkadiy Tetelman
CVE: CVE-2018-12116
CWE: CWE-115
Snyk ID: SNYK-UPSTREAM-NODE-73603
Disclosed: 28 Nov, 2018
Published: 24 Jan, 2019

HTTP request splitting
Affecting node package, versions [6.0.0, 6.15.0) || [8.0.0, 8.14.0)

Overview

Remediation

References

CVSS Score

HTTP request splitting Affecting node package, versions [6.0.0, 6.15.0) || [8.0.0, 8.14.0)

Overview

Remediation

References

HTTP request splitting
Affecting node package, versions [6.0.0, 6.15.0) || [8.0.0, 8.14.0)