CVE-2016-2216: The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows…

high7.5CVSS 3.0

AVNACLPRNUINSUCNIHAN

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.

Affected

91 ranges· showing 25

Vendor	Product	Version range	Fixed in
apple	xcode	—	—
debian	nodejs	< nodejs 4.3.0~dfsg-1 (bookworm)	nodejs 4.3.0~dfsg-1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—
nodejs	node.js	—	—

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

osv7.5HIGH