CVE-2019-15605

CRITICAL

Nodejs Node.js < 10.19.0 - HTTP Request Smuggling

Title source: rule

Description

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Exploits (1)

nomisec WORKING POC

by 0-9194 · poc

https://github.com/0-9194/node-poc-http-smuggling

View Code ZIP pw:eip

References (21)

[Third Party Advisory] https://security.gentoo.org/glsa/202003-48

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0573

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0579

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0597

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0598

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0602

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0703

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0707

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0708

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/735748

[Release Notes, Vendor Advisory] https://nodejs.org/en/blog/release/v10.19.0/

[Release Notes, Vendor Advisory] https://nodejs.org/en/blog/release/v12.15.0/

[Vendor Advisory] https://nodejs.org/en/blog/release/v13.8.0/

[Vendor Advisory] https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200221-0004/

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4669

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/

... and 1 more

Scores

CVSS v3 9.8

EPSS 0.3225

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-444

Status published

Products (25)

debian/debian_linux 10.0

fedoraproject/fedora 30

nodejs/node.js 10.0.0 - 10.19.0

nodejs/node.js 13.0.0 - 13.8.0

opensuse/leap 15.1

oracle/graalvm 19.3.1

oracle/graalvm 20.0.0

redhat/enterprise_linux 8.0

redhat/enterprise_linux_desktop 7.0

redhat/enterprise_linux_eus 7.7

... and 15 more

Published Feb 07, 2020

Tracked Since Feb 18, 2026