CVE-2024-27982
Published: April 4, 2024Last modified: April 15, 2024
Description
The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. Impacts: This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | LOW |
| Availability impact | LOW |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | nodejs | Fixed (18.20.1-r0) |
| Stream | nodejs | Fixed (20.12.1-r0) |
References
- https://github.com/nodejs/node/commit/1a65e98e22
- https://github.com/nodejs/node/commit/5d4d5848cf
- https://github.com/nodejs/node/commit/5e34540a96
- https://hackerone.com/reports/2237099
- https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/QJAKA33NJCI3XLQS2K36DRCUMWIFFYVU/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/X4M5XZZONMS4DAZE3CNDFDRSB6JQCL6Y/
- https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#http-request-smuggling-via-content-length-obfuscation---cve-2024-27982---medium
- https://security.netapp.com/advisory/ntap-20250418-0001/