CVE-2024-27982

Name
CVE-2024-27982
Description
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
support@hackerone.com https://hackerone.com/reports/2237099

Match rules

CPE URI Source package Min version Max version

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs 3.18-main 18.20.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nodejs-current 3.19-community 21.7.2-r0 Patrycja Rosa <alpine@ptrcnull.me> fixed
nodejs 3.17-main 18.20.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
llhttp edge-community 9.2.1-r0 Michał Polański <michal@polanski.me> fixed
llhttp 3.21-community 9.2.1-r0 Michał Polański <michal@polanski.me> fixed