CVE-2016-2216
7.5
HIGH
CVSS 3.1
EPSS 1.8%
Description
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
How to fix CVE-2016-2216
To remediate CVE-2016-2216, upgrade the affected package to a fixed version below.
- Debian/nodejs—upgrade to 4.3.0~dfsg-1 or later
Is CVE-2016-2216 being exploited?
Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.3.0~dfsg-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |