CVE-2024-27982

Name
CVE-2024-27982
Description
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
support@hackerone.com https://hackerone.com/reports/2237099
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20250418-0001/
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QJAKA33NJCI3XLQS2K36DRCUMWIFFYVU/
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4M5XZZONMS4DAZE3CNDFDRSB6JQCL6Y/

Match rules

CPE URI Source package Min version Max version
node >= 4.0 < 4.*
node >= 5.0 < 5.*
node >= 6.0 < 6.*
node >= 7.0 < 7.*
node >= 8.0 < 8.*
node >= 9.0 < 9.*
node >= 10.0 < 10.*
node >= 11.0 < 11.*
node >= 12.0 < 12.*
node >= 13.0 < 13.*
node >= 14.0 < 14.*
node >= 15.0 < 15.*
node >= 16.0 < 16.*
node >= 17.0 < 17.*
node >= 18.0 < 18.20.1
node >= 19.0 < 19.*
node >= 20.0 < 20.12.1
node >= 21.0 < 21.7.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs-current edge-community 21.7.2-r0 Patrycja Rosa <alpine@ptrcnull.me> fixed
nodejs-current 3.22-community 21.7.2-r0 None fixed
nodejs-current 3.21-community 21.7.2-r0 None fixed
nodejs-current 3.20-community 21.7.2-r0 None fixed
nodejs-current 3.19-community 21.7.2-r0 Patrycja Rosa <alpine@ptrcnull.me> fixed
nodejs edge-main 20.12.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nodejs 3.22-main 20.12.1-r0 None fixed
nodejs 3.21-main 20.12.1-r0 None fixed
nodejs 3.20-main 20.12.1-r0 None fixed
nodejs 3.19-main 20.12.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nodejs 3.18-main 18.20.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nodejs 3.17-main 18.20.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
llhttp edge-community 9.2.1-r0 Michał Polański <michal@polanski.me> fixed
llhttp 3.22-community 9.2.1-r0 Michał Polański <michal@polanski.me> fixed
llhttp 3.21-community 9.2.1-r0 Michał Polański <michal@polanski.me> fixed