CVE-2019-15606
CVE-2019-15606
In short
Node.js versions 10, 12, and 13 allow attackers to bypass security checks by adding extra spaces at the end of HTTP headers. If a server checks header values to authorize requests, an attacker can add trailing spaces to fool the check.
Technical detail
HTTP header values containing trailing whitespace are not properly normalized in Node.js 10, 12, and 13, allowing attackers to bypass authorization mechanisms that rely on strict header value comparison. The attack vector involves crafted HTTP requests with whitespace-padded header values; impact includes circumvention of access controls based on header validation.
Summary generated and translated by AI from the official description.
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
Affected products
NodeJS · NodeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.htmlhttps://access.redhat.com/errata/RHSA-2020:0573https://access.redhat.com/errata/RHSA-2020:0579https://access.redhat.com/errata/RHSA-2020:0597https://access.redhat.com/errata/RHSA-2020:0598https://access.redhat.com/errata/RHSA-2020:0602https://hackerone.com/reports/730779https://nodejs.org/en/blog/release/v10.19.0/https://nodejs.org/en/blog/release/v12.15.0/https://nodejs.org/en/blog/release/v13.8.0/https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/https://security.gentoo.org/glsa/202003-48