CVE-2016-5325

CWE-11310 documents7 sources

Severity

6.1MEDIUM

EPSS

1.0%

top 23.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node.js Suse Linux Enterprise

Timeline

PublishedOct 10

Latest updateMay 14

Description

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Debiannodejs< 4.6.0~dfsg-1+3

▶NVDnodejs/node.js97 versions+96

Also affects: Linux Enterprise 12.0

Patches

Patch: github.com ↗Patch: nodejs.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-qpf8-fqrf-8p2h: CRLF injection vulnerability in the ServerResponse#writeHead function in Node↗2022-05-14

▶

OSV

CVE-2016-5325: CRLF injection vulnerability in the ServerResponse#writeHead function in Node↗2016-10-10

▶

CVEList

CVE-2016-5325: CRLF injection vulnerability in the ServerResponse#writeHead function in Node↗2016-10-10

▶

📋Vendor Advisories

Red Hat

nodejs: reason argument in ServerResponse#writeHead() not properly validated↗2016-06-13

▶

Debian

CVE-2016-5325: nodejs - CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js...↗2016

▶

💬Community

Bugzilla

CVE-2016-5325 nodejs: HTTP processing security defect [epel-all]↗2016-06-15

▶

Bugzilla

CVE-2016-5325 nodejs: HTTP processing security defect [fedora-all]↗2016-06-15

▶

Bugzilla

CVE-2016-5325 nodejs: reason argument in ServerResponse#writeHead() not properly validated↗2016-06-15

▶

Bugzilla

CVE-2015-5325 jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)↗2015-11-16

▶