Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers a rich library of various JavaScript modules and is widely used in server-side applications.
An HTTP Request Smuggling vulnerability has been identified in Node.js. The issue stems from malformed headers not being interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
This vulnerability affects specific versions of the package and can result in unauthorized access. Details on affected versions and reproduction steps are provided below.
Details
Module Info
Affected packages: Node.js
Affected versions: 4.0 < 18.20.1, 20 < 20.12.1
GitHub repository: https://github.com/nodejs/node
Published packages: https://github.com/nodejs/node/releases
Package manager: npm
Fixed in: Node.js NES v12, v14, v16
Vulnerability Info
The issue stems from improper handling of HTTP headers.
For instance if a space is placed before a content-length header, the system fails to interpret it correctly. This behavior can be exploited by attackers to smuggle in a second request.
This vulnerability is a result of flawed logic, and may allow attackers to execute arbitrary requests.
- https://www.cve.org/CVERecord?id=CVE-2024-27982
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling
Credits
- bpingel
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation for upgrade instructions.