CVE-2019-15605

CRITICAL

Nodejs Node.js < 10.19.0 - HTTP Request Smuggling

Title source: rule

Description

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Exploits (1)

nomisec WORKING POC

by 0-9194 · poc

https://github.com/0-9194/node-poc-http-smuggling

View Code ZIP pw:eip

References (21)

[Third Party Advisory] https://security.gentoo.org/glsa/202003-48

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0573

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0579

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0597

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0598

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0602

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0703

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0707

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0708

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/735748

[Release Notes, Vendor Advisory] https://nodejs.org/en/blog/release/v10.19.0/

[Release Notes, Vendor Advisory] https://nodejs.org/en/blog/release/v12.15.0/

[Vendor Advisory] https://nodejs.org/en/blog/release/v13.8.0/

[Vendor Advisory] https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200221-0004/

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4669

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/

... and 1 more

Scores

CVSS v3 9.8

EPSS 0.3225

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-444

Status published

Affected Products (25)

nodejs/node.js < 10.19.0

nodejs/node.js < 13.8.0

debian/debian_linux

fedoraproject/fedora

opensuse/leap

redhat/software_collections

redhat/enterprise_linux

redhat/enterprise_linux_desktop

redhat/enterprise_linux_eus

redhat/enterprise_linux_server

redhat/enterprise_linux_server_aus

... and 10 more

Timeline

Published Feb 07, 2020

Tracked Since Feb 18, 2026