HTTP Request Splitting in Node.js Versions Prior to 6.15.0 and 8.14.0
CVE-2018-12116

7.5HIGH

Key Information:

Vendor

The Node.js Project

Status
Node.js
Vendor
CVE Published:
28 November 2018

What is CVE-2018-12116?

A vulnerability exists in Node.js that affects all versions prior to 6.15.0 and 8.14.0, allowing for HTTP request splitting. This issue arises when Node.js processes unsanitized user-provided Unicode data in the path option of an HTTP request. An attacker may exploit this flaw by manipulating the request, resulting in an unintended and user-defined HTTP request being sent to the same server. This exploitation can lead to unforeseen actions being executed on behalf of the affected service.

Affected Version(s)

Node.js All versions prior to Node.js 6.15.0 and 8.14.0

References

https://nodejs.org/en/blog/vulnerability/november-2018-se...
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:1821
vendor-advisoryx_refsource_REDHAT
https://security.gentoo.org/glsa/202003-48
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.