Node.js httpd: HTTP Reqt Smuggling via Malformed Headers: CVE-2024-27982 May 2024

Node.js httpd: HTTP Reqt Smuggling via Malformed Headers
CVE-2024-27982 Published on May 7, 2024

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2024-27982 has been classified to as a HTTP Request Smuggling vulnerability or weakness.

Products Associated with CVE-2024-27982

Want to know whenever a new CVE is published for nodejs node.js? stack.watch will email you.

Affected Versions

Version 4.0 and below 4.* is affected.

Version 5.0 and below 5.* is affected.

Version 6.0 and below 6.* is affected.

Version 7.0 and below 7.* is affected.

Version 8.0 and below 8.* is affected.

Version 9.0 and below 9.* is affected.

Version 10.0 and below 10.* is affected.

Version 11.0 and below 11.* is affected.

Version 12.0 and below 12.* is affected.

Version 13.0 and below 13.* is affected.

Version 14.0 and below 14.* is affected.

Version 15.0 and below 15.* is affected.

Version 16.0 and below 16.* is affected.

Version 17.0 and below 17.* is affected.

Version 18.0 and below 18.20.1 is affected.

Version 19.0 and below 19.* is affected.

Version 20.0 and below 20.12.1 is affected.

Version 21.0 and below 21.7.2 is affected.

Version 20.12.0, 21.7.2, 18.20.0 is affected.

Exploit Probability

EPSS

0.39%

Percentile

59.66%