CVE-2018-12116 vulnerability in Joyent and Other Products
Published on November 28, 2018

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

Github Repository Vendor Advisory Vendor Advisory NVD

Weakness Type

Misinterpretation of Input

The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

Products Associated with CVE-2018-12116

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2018-12116 are published in these products:

Joyent Node Js

nodejs node.js

Suse Enterprise Storage

Suse Linux Enterprise Server

Suse Openstack Cloud

Affected Versions

The Node.js Project Node.js Version All versions prior to Node.js 6.15.0 and 8.14.0 is affected by CVE-2018-12116

Vulnerable Packages

The following package name and versions may be associated with CVE-2018-12116

Package Manager	Vulnerable Package	Versions	Fixed In
npm	undici	< 5.8.0	5.8.0

Exploit Probability

EPSS

0.58%

Percentile

68.37%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.