CVE-2018-12116 — Misinterpretation of Input in Node.js

CWE-115 — Misinterpretation of Input CWE-444 — HTTP Request Smuggling CWE-113 — HTTP Request/Response Splitting CWE-93 — CRLF Injection12 documents10 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 29.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Nodejs Node.js THE Node.js Project Node.js +3 more

Timeline

PublishedNov 28

Latest updateJul 21

Description

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDnodejs/node.js6.9.0 — 6.15.0+3

▶Debiannodejs/nodejs< 10.15.0~dfsg-6+3

▶CVEListV5the_node.js_project/node.jsAll versions prior to Node.js 6.15.0 and 8.14.0

▶NVDsuse/suse_linux_enterprise_server12, 15+1

▶NVDsuse/suse_openstack_cloud7, 8+1

Patches

Patch: nodejs.org ↗Patch: nodejs.org ↗

🔴Vulnerability Details

GHSA

undici before v5.8.0 vulnerable to CRLF injection in request headers↗2022-07-21

▶

GHSA

GHSA-mfjx-w835-f3w2: Node↗2022-05-13

▶

CVEList

CVE-2018-12116: Node↗2018-11-28

▶

OSV

CVE-2018-12116: Node↗2018-11-28

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2021-03-15

▶

Red Hat

nodejs: HTTP request splitting↗2018-11-27

▶

Microsoft

▶

Debian

CVE-2018-12116: nodejs - Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting...↗2018

▶

💬Community

Bugzilla

CVE-2018-12116 nodejs: HTTP request splitting [fedora-all]↗2018-12-19

▶

Bugzilla

CVE-2018-12116 nodejs: HTTP request splitting↗2018-12-19

▶

Bugzilla

CVE-2018-12116 nodejs: HTTP request splitting [epel-all]↗2018-12-19

▶