CVE-2020-8287

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Published: Jan 6, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-8287
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
nodejs / node.js	15.0.0	15.5.1
nodejs / node.js	14.0.0	14.15.4
nodejs / node.js	12.0.0	12.20.1
nodejs / node.js	10.0.0	10.23.1
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
oracle / graalvm	19.3.4	19.3.4.x
oracle / graalvm	20.3.0	20.3.0.x
siemens / sinec_infrastructure_network_services	-	1.0.1.1

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1002188
https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
https://lists.fedoraproject.org/archives/list/[email protected]/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
https://security.gentoo.org/glsa/202101-07
https://security.netapp.com/advisory/ntap-20210212-0003/
https://www.debian.org/security/2021/dsa-4826
https://www.oracle.com/security-alerts/cpujan2021.html

Vulnerability Database

289,599

CVE-2020-8287