Published: 06/01/2021 Updated: 07/11/2023

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

CVSS v3 Base Score: 6.5 | Impact Score: 2.5 | Exploitability Score: 3.9

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Node.js versions prior to 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nodejs node.js
debian debian linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
oracle graalvm 19.3.4
oracle graalvm 20.3.0
siemens sinec infrastructure network services

Debian Bug report logs - #979364 nodejs: CVE-2020-8265 CVE-2020-8287 Package: src:nodejs; Maintainer for src:nodejs is Debian Javascript Maintainers <pkg-javascript-devel@alioth-listsdebiannet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 5 Jan 2021 20:15:02 UTC Severity: grave Tags: security, ...

Two vulnerabilities were discovered in Nodejs, which could result in denial of service and potentially the execution of arbitrary code or HTTP request smuggling For the stable distribution (buster), these problems have been fixed in version 10231~dfsg-1~deb10u1 We recommend that you upgrade your nodejs packages For the detailed security statu ...

Synopsis Moderate: rh-nodejs10-nodejs security update Type/Severity Security Advisory: Moderate Topic An update for rh-nodejs10-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Syst ...

Synopsis Moderate: nodejs:10 security update Type/Severity Security Advisory: Moderate Topic An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) ...

Synopsis Moderate: nodejs:12 security update Type/Severity Security Advisory: Moderate Topic An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) ...

Synopsis Moderate: rh-nodejs12-nodejs security update Type/Severity Security Advisory: Moderate Topic An update for rh-nodejs12-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Syst ...

Synopsis Moderate: nodejs:14 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring S ...

Synopsis Moderate: rh-nodejs14-nodejs security update Type/Severity Security Advisory: Moderate Topic An update for rh-nodejs14-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Syst ...

The nodejs release lines 15x, 14x, 12x and 10x allow two copies of a header field in an HTTP request For example, two Transfer-Encoding header fields In this case Nodejs identifies the first header field and ignores the second This can lead to HTTP Request Smuggling The issue is fixed in nodejs versions 1551, 14154, 12201 and 10231 ...

Critical Infrastructure Sectors: Energy

PoC of HTTP Request Smuggling in nodejs (CVE-2020-8287)

nodejs-http-transfer-encoding-smuggling-poc PoC of HTTP Request Smuggling in nodejs (CVE-2020-8287) src/indexjs { header: [ 'Host', '127001', 'Transfer-Encoding', 'chunked', 'Transfer-Encoding', 'eee' ], body: 'A' } { header: [ 'Host', '127001' ], body:

CWE-444 https://hackerone.com/reports/1002188 https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/https://www.debian.org/security/2021/dsa-4826 https://security.gentoo.org/glsa/202101-07 https://www.oracle.com/security-alerts/cpujan2021.html https://security.netapp.com/advisory/ntap-20210212-0003/https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979364 https://nvd.nist.gov https://github.com/progfay/nodejs-http-transfer-encoding-smuggling-poc https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-01 https://www.debian.org/security/2021/dsa-4826

CVE-2020-8287

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect