CVE-2016-2216
HIGHNodejs Node.js - Improper Input Validation
Title source: ruleDescription
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
References (8)
Scores
CVSS v3
7.5
EPSS
0.0184
EPSS Percentile
82.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Classification
CWE
CWE-20
Status
draft
Affected Products (50)
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
nodejs/node.js
... and 35 more
Timeline
Published
Apr 07, 2016
Tracked Since
Feb 18, 2026