CVE-2020-8287

Description

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

How to fix CVE-2020-8287

To remediate CVE-2020-8287, upgrade the affected package to a fixed version below.

• —upgrade to 12.20.1-r0 or later
• —upgrade to 10.23.1 or later
• —upgrade to 10.23.1 or later
• —upgrade to 2.9.4-4+deb11u1 or later
• —upgrade to 2.8.1-1+deb10u3 or later
• —upgrade to 12.20.1~dfsg-1 or later

Is CVE-2020-8287 being exploited?

Moderate — EPSS is 11.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (6)

• from 0, < 12.20.1-r0
• >= 10.0.0, < 10.23.1, >= 12.0.0, < 12.20.1, >= 14.0.0, < 14.15.4, >= 15.0.0, < 15.5.1
• >= 10.0.0, < 10.23.1, >= 12.0.0, < 12.20.1, >= 14.0.0, < 14.15.4, >= 15.0.0, < 15.5.1
• from 0, < 2.9.4-4+deb11u1
• from 0, < 2.8.1-1+deb10u3
• from 0, < 12.20.1~dfsg-1

CVSS scores

References (13)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2020-8287
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-8287
• WEBcert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• WEBhackerone.com/reports/1002188
• WEB