Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

HD-2024-1407

HTTP Request Smuggling
Affects
Node.js
4.21.3 LTS
in
Node.js
Node.js NES
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

‍Overview

The llhttp parser in the http module in multiple versions of Node.js does not strictly use the CRLF sequence to delimit HTTP requests, which can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling interferes with the proper fulfillment of requests by an HTTP server. The possible ramifications of this exploit include allowing unauthorized access to a system, allowing an attacker to modify data (in databases, user accounts and other records), session hijacking, information disclosure, cache poisoning and denial of service.

This issue affects the following versions of Node.js: 16.0.0 up to (but excluding) 16.20.1, 18.0.0 up to (but excluding) 18.16.1 and  20.0.0 up to (but excluding) 20.3.1

 

Details

Module Info

Vulnerability Info

This high-severity vulnerability is found in many versions of the llhttp library. Although RFC7230 section 3 indicates that only the CRLF sequence should delimit each header field, vulnerable versions of the library allow just the CR character (without LF) to delimit HTTP header fields. 

Since this library is bundled with Node.js, many versions of Node.js in the v16, v18 and v20 branches are affected.

There is no workaround.

Steps To Reproduce

  • Install a vulnerable version of Node.js on a server.
  • Craft an HTTP request that, instead of using \r\n (CRLF), uses just \r (CR) to end header fields. In the  example below, the first request ends with only \r, potentially allowing the second request to be smuggled (hidden to, or misinterpreted by, certain layers of the web server). The second request is formed correctly, because it properly terminates with \r\n.
POST / HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11\r
Cookie: session=abc123\r
\r
data=payload1
POST /secret HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
\r\n
data=payload2

Mitigation

All users should upgrade to a version of Node.js without this vulnerability.

Additional Resources

Pink arrow
Previous
HD-2024-1408
Next
HD-2024-1409
Pink arrow
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
HD-2024-1407
PROJECT Affected
Node.js
Versions Affected
4.21.3 LTS
Published date
October 16, 2024
≈ Fix date
June 30, 2024
Fixed in
Node.js NES
Severity
High
Category
HTTP Request Smuggling