CVE-2024-27982

MEDIUM

Node - HTTP Request Smuggling

Title source: llm

Description

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

References (6)

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html

[Third Party Advisory] https://hackerone.com/reports/2237099

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20250418-0001/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/QJAKA33NJCI3XLQS2K36DRCUMWIFFYVU/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/X4M5XZZONMS4DAZE3CNDFDRSB6JQCL6Y/

Scores

CVSS v3 6.5

EPSS 0.0039

EPSS Percentile 60.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-444

Status published

Products (18)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 18.0 - 18.20.1

NodeJS/Node 19.0 - 19.*

... and 8 more

Published May 07, 2024

Tracked Since Feb 18, 2026