CVE-2020-8201

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Published: Sep 18, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-8201
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.4
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
nodejs / node.js	14.0.0	14.11.0
nodejs / node.js	12.0.0	12.18.4
opensuse / leap	15.2	15.2.x
fedoraproject / fedora	33	33.x

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
https://hackerone.com/reports/922597
https://lists.fedoraproject.org/archives/list/[email protected]/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
https://security.gentoo.org/glsa/202101-07
https://security.netapp.com/advisory/ntap-20201009-0004/

Vulnerability Database

289,599

CVE-2020-8201