Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in server-side applications.
An HTTP Request Smuggling vulnerability has been identified in Node. The issue stems from the llhttp parser not correctly parsing and validating Transfer-Encoding headers. This weakness allows attackers to manipulate HTTP requests and potentially smuggle them to the backend server.
This vulnerability affects specific versions of the package and can result in unauthorized access or data leakage. Details on affected versions and reproduction steps are provided below.
Details
Module Info
- Affected packages: Node
- Affected versions: 4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
- GitHub repository: https://github.com/nodejs/node
- Published packages: https://github.com/nodejs/node/releases
- Package manager: npm
- Fixed in: Node.js NES version 12
Vulnerability Info
The issue stems from improper parsing of Transfer-Encoding headers.
For instance, in a scenario where a request is sent with a malformed Transfer-Encoding header, if the backend server processes this request incorrectly, the system may expose sensitive information or allow unauthorized actions. This behavior can be exploited by attackers to manipulate requests and gain access to restricted resources.
This vulnerability is a result of flawed logic in the llhttp parser, and may allow attackers to execute unauthorized actions on the server.
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://www.cve.org/CVERecord?id=CVE-2022-32213
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation for upgrade instructions.
Credits
- zeyu2001
