CVE-2019-15605
CVE-2019-15605
In short
Node.js versions 10, 12, and 13 have a flaw in how they handle certain HTTP headers, allowing an attacker to sneak malicious content past security checks by sending a specially crafted request. This can lead to bypassing protections and delivering harmful payloads to users.
Technical detail
HTTP request smuggling vulnerability in Node.js 10, 12, and 13 exploits improper parsing of malformed transfer-encoding headers, allowing an attacker to inject additional HTTP requests that are processed by downstream servers or proxies. The attack vector requires crafting malicious HTTP requests; the vulnerability enables cache poisoning, session hijacking, or delivery of malicious content to end users.
Summary generated and translated by AI from the official description.
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
Affected products
NodeJS · NodeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.htmlhttps://access.redhat.com/errata/RHSA-2020:0573https://access.redhat.com/errata/RHSA-2020:0579https://access.redhat.com/errata/RHSA-2020:0597https://access.redhat.com/errata/RHSA-2020:0598https://access.redhat.com/errata/RHSA-2020:0602https://access.redhat.com/errata/RHSA-2020:0703https://access.redhat.com/errata/RHSA-2020:0707https://access.redhat.com/errata/RHSA-2020:0708https://hackerone.com/reports/735748https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/