CVE-2024-27982

CVE-2024-27982

Name

CVE-2024-27982

Description

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
support@hackerone.com	https://hackerone.com/reports/2237099
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20250418-0001/

Type

URI

support@hackerone.com

https://hackerone.com/reports/2237099

af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20250418-0001/

Source package	Min version	Max version
node	>= 0	<= 20.12.0
node	>= 0	<= 21.7.2
node	>= 0	<= 18.20.0

CPE URI

Source package

Min version

Max version

node

>= 0

<= 20.12.0

node

>= 0

<= 21.7.2

node

>= 0

<= 18.20.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nodejs	3.18-main	18.20.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs-current	3.19-community	21.7.2-r0	Patrycja Rosa <alpine@ptrcnull.me>	fixed
nodejs	3.17-main	18.20.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
llhttp	edge-community	9.2.1-r0	Michał Polański <michal@polanski.me>	fixed
llhttp	3.21-community	9.2.1-r0	Michał Polański <michal@polanski.me>	fixed

Source package

Branch

Version

Maintainer

Status

nodejs

3.18-main

18.20.1-r0

Jakub Jirutka <jakub@jirutka.cz>

fixed

nodejs-current

3.19-community