CVE-2020-8201

CWE-444 — HTTP Request Smuggling13 documents7 sources

Severity

7.4HIGH

EPSS

0.6%

top 29.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js Fedoraproject Fedora +1 more

Timeline

PublishedSep 18

Latest updateMay 24

Description

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5nodejs/node4.0 — 4.*+9

▶NVDnodejs/node.js12.0.0 — 12.18.4+1

▶Debiannodejs< 12.18.4~dfsg-1+3

▶NVDopensuse/leap15.2

Also affects: Fedora 33

🔴Vulnerability Details

GHSA

GHSA-7mcp-gwc2-4c6m: Node↗2022-05-24

▶

CVEList

CVE-2020-8201: Node↗2020-09-18

▶

OSV

CVE-2020-8201: Node↗2020-09-18

▶

📋Vendor Advisories

Red Hat

nodejs: HTTP request smuggling due to CR-to-Hyphen conversion↗2020-09-15

▶

Debian

CVE-2020-8201: nodejs - Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks an...↗2020

▶

💬Community

Bugzilla

CVE-2020-8201 nodejs:12/nodejs: HTTP Request Smuggling due to CR-to-Hyphen conversion [fedora-all]↗2020-09-16

▶

Bugzilla

CVE-2020-8201 nodejs:13/nodejs: HTTP Request Smuggling due to CR-to-Hyphen conversion [fedora-all]↗2020-09-16

▶

Bugzilla

CVE-2020-8201 nodejs:11/nodejs: HTTP Request Smuggling due to CR-to-Hyphen conversion [fedora-all]↗2020-09-16

▶

Bugzilla

CVE-2020-8201 nodejs: HTTP Request Smuggling due to CR-to-Hyphen conversion [fedora-all]↗2020-09-16

▶

Bugzilla

CVE-2020-8201 nodejs:14/nodejs: HTTP Request Smuggling due to CR-to-Hyphen conversion [fedora-all]↗2020-09-16

▶