CVE-2016-2086
HIGHNode.js 0.10.x < 0.10.42, 0.12.x < 0.12.10, 4.x < 4.3.0, 5.x < 5.6.0 - HTTP Request Smuggling via Content-Length Header
Title source: llmDescription
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177673.html
Patch, Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/83282
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201612-43
Scores
CVSS v3
7.5
EPSS
0.0048
EPSS Percentile
65.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (50)
fedoraproject/fedora
22
fedoraproject/fedora
23
nodejs/node.js
0.10.0
nodejs/node.js
0.10.1
nodejs/node.js
0.10.2
nodejs/node.js
0.10.3
nodejs/node.js
0.10.4
nodejs/node.js
0.10.5
nodejs/node.js
0.10.6
nodejs/node.js
0.10.7
... and 40 more
Published
Apr 07, 2016
Tracked Since
Feb 18, 2026