CVE-2020-8287

CWE-444 — HTTP Request Smuggling8 documents7 sources

Severity

6.5MEDIUM

EPSS

11.9%

top 6.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js Siemens Sinec Infrastructure Network Services +3 more

Timeline

PublishedJan 6

Latest updateSep 19

Description

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages6 packages

▶CVEListV5nodejs/node4.0 — 4.*+11

▶NVDnodejs/node.js10.0.0 — 10.23.1+3

▶Debiannodejs< 12.20.1~dfsg-1+3

▶Debianhttp-parser< 2.9.4-4+deb11u1+3

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

Also affects: Debian Linux 10.0, Fedora 32, 33

Patches

Patch: cert-portal.siemens.com ↗Patch: nodejs.org ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-f33f-hhx9-6j4m: Node↗2022-05-24

▶

OSV

CVE-2020-8287: Node↗2021-01-06

▶

CVEList

CVE-2020-8287: Node↗2021-01-06

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2023-09-19

▶

Ubuntu

http-parser vulnerability↗2022-08-10

▶

Red Hat

nodejs: HTTP request smuggling via two copies of a header field in an http request↗2021-01-04

▶

Debian

CVE-2020-8287: http-parser - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a ...↗2020

▶