CVE-2024-27982
MEDIUMNode < 18.20.1, 19.x, < 20.12.1, < 21.7.2 - HTTP Request Smuggling via Malformed Content-Length Header
Title source: llmDescription
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
References (6)
Core 6
Core References
Third Party Advisory
https://hackerone.com/reports/2237099
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250418-0001/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/QJAKA33NJCI3XLQS2K36DRCUMWIFFYVU/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/X4M5XZZONMS4DAZE3CNDFDRSB6JQCL6Y/
Scores
CVSS v3
6.5
EPSS
0.0115
EPSS Percentile
62.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-444
Status
published
Products (18)
NodeJS/Node
10.0 - 10.*
NodeJS/Node
11.0 - 11.*
NodeJS/Node
12.0 - 12.*
NodeJS/Node
13.0 - 13.*
NodeJS/Node
14.0 - 14.*
NodeJS/Node
15.0 - 15.*
NodeJS/Node
16.0 - 16.*
NodeJS/Node
17.0 - 17.*
NodeJS/Node
18.0 - 18.20.1
NodeJS/Node
19.0 - 19.*
... and 8 more
Published
May 07, 2024
Tracked Since
Feb 18, 2026