CVE-2018-7159

CWE-115CWE-20Improper Input Validation10 documents8 sources
Severity
5.3MEDIUM
EPSS
0.6%
top 30.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs Node.jsTHE Node.js Project Node.js
Timeline
PublishedMay 17
Latest updateMay 13

Description

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that mak

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

NVDnodejs/node.js4.2.04.9.0+6
Debiannodejs< 8.11.1~dfsg-2+3
CVEListV5the_node.js_project/node.js4 versions+3

🔴Vulnerability Details

3
GHSA
GHSA-87vg-5pwm-8x6w: The HTTP parser in all current versions of Node2022-05-13
OSV
CVE-2018-7159: The HTTP parser in all current versions of Node2018-05-17
CVEList
CVE-2018-7159: The HTTP parser in all current versions of Node2018-05-17

📋Vendor Advisories

3
Microsoft
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP spe2018-05-08
Red Hat
nodejs: HTTP parser allowed for spaces inside Content-Length header values2018-03-08
Debian
CVE-2018-7159: nodejs - The HTTP parser in all current versions of Node.js ignores spaces in the `Conten...2018

💬Community

3
Bugzilla
CVE-2018-7159 nodejs: HTTP parser allowed for spaces inside Content-Length header values2018-03-29
Bugzilla
CVE-2018-7158 CVE-2018-7159 CVE-2018-7160 nodejs: various flaws [fedora-all]2018-03-29
Bugzilla
CVE-2018-7158 CVE-2018-7159 CVE-2018-7160 nodejs: various flaws [epel-all]2018-03-29