CVE-2016-2086 — Improper Input Validation in Node.js

CWE-20 — Improper Input Validation CWE-444 — HTTP Request Smuggling10 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 34.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Fedoraproject Fedora Nodejs Node.js

Timeline

PublishedApr 7

Latest updateMay 17

Description

Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debiannodejs/nodejs< 4.3.0~dfsg-1+3

▶NVDnodejs/node.js72 versions+71

Also affects: Fedora 22, 23

Patches

Patch: nodejs.org ↗Patch: nodejs.org ↗

🔴Vulnerability Details

GHSA

GHSA-j4wx-39fg-h554: Node↗2022-05-17

▶

CVEList

CVE-2016-2086: Node↗2016-04-07

▶

OSV

CVE-2016-2086: Node↗2016-04-07

▶

📋Vendor Advisories

Apple

CVE-2016-2086: Xcode 8.1↗2016-10-27

▶

Red Hat

nodejs: Request smuggling vulnerability↗2016-02-09

▶

Debian

CVE-2016-2086: nodejs - Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x ...↗2016

▶

💬Community

Bugzilla

CVE-2016-2086 nodejs: Request smuggling vulnerability↗2016-02-10

▶

Bugzilla

CVE-2016-2216 CVE-2016-2086 nodejs: various flaws [epel-all]↗2016-02-10

▶

Bugzilla

CVE-2016-2216 CVE-2016-2086 nodejs: various flaws [fedora-all]↗2016-02-10

▶