CVE-2016-2216 — Improper Input Validation in Node.js

CWE-20 — Improper Input Validation CWE-113 — HTTP Request/Response Splitting10 documents8 sources

Severity

7.5HIGHNVD

EPSS

1.8%

top 17.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Fedoraproject Fedora Nodejs Node.js

Timeline

PublishedApr 7

Latest updateMay 17

Description

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debiannodejs/nodejs< 4.3.0~dfsg-1+3

▶NVDnodejs/node.js83 versions+82

Also affects: Fedora 22, 23

Patches

Patch: nodejs.org ↗Patch: nodejs.org ↗

🔴Vulnerability Details

GHSA

GHSA-77qx-hwx7-xv2g: The HTTP header parsing code in Node↗2022-05-17

▶

OSV

CVE-2016-2216: The HTTP header parsing code in Node↗2016-04-07

▶

CVEList

CVE-2016-2216: The HTTP header parsing code in Node↗2016-04-07

▶

📋Vendor Advisories

Apple

CVE-2016-2216: Xcode 8.1↗2016-10-27

▶

Red Hat

nodejs: Response splitting vulnerability using Unicode characters↗2016-02-09

▶

Debian

CVE-2016-2216: nodejs - The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0....↗2016

▶

💬Community

Bugzilla

CVE-2016-2216 nodejs: Response splitting vulnerability using Unicode characters↗2016-02-10

▶

Bugzilla

CVE-2016-2216 CVE-2016-2086 nodejs: various flaws [epel-all]↗2016-02-10

▶

Bugzilla

CVE-2016-2216 CVE-2016-2086 nodejs: various flaws [fedora-all]↗2016-02-10

▶