Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.3
CVSSv3

CVE-2018-7159

Published: 17/05/2018 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Node.js

Vulnerability Summary

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

nodejs node.js

Vendor Advisories

Red Hat: Important: rh-nodejs8-nodejs security update
Synopsis Important: rh-nodejs8-nodejs security update Type/Severity Security Advisory: Important Topic An update for rh-nodejs8-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Red Hat: Moderate: http-parser security update
Synopsis Moderate: http-parser security update Type/Severity Security Advisory: Moderate Topic An update for http-parser is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base s ...
Amazon Linux AMI: ALAS-2020-1359
A flaw was found in the Nodejs code where a specially crafted HTTP(s) request sent to a Nodejs server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack An attacker can use this flaw to alter a request sent as an authenticated user if the Nodejs server is deployed behind a proxy server that reuses connection ...
Amazon Linux 2: ALAS2-2019-1322
Nodejs: All versions prior to Nodejs 6150, 8140, 10140 and 1130: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure Attack p ...
Red Hat: CVE-2018-7159
It was found that the http module from Nodejs could accept incorrect Content-Length values, containing spaces within the value, in HTTP headers A specially crafted client could use this flaw to possibly confuse the script, causing unspecified behavior ...

References

CWE-20https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/https://access.redhat.com/errata/RHSA-2019:2258https://support.f5.com/csp/article/K27228191?utm_source=f5support&%3Butm_medium=RSShttps://access.redhat.com/errata/RHSA-2018:2949https://nvd.nist.govhttps://alas.aws.amazon.com/ALAS-2020-1359.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
remote code executionCVE-2024-34909CVE-2024-3317SSTICVE-2024-3400CVE-2024-30051wirelessCVE-2024-4622CVE-2024-4908
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook