CVE-2024-27982

Description

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

How to fix CVE-2024-27982

To remediate CVE-2024-27982, upgrade the affected package to a fixed version below.

• —upgrade to 18.20.1-r0 or later
• —upgrade to 18.20.1 or later
• —upgrade to 18.20.1 or later
• —upgrade to 12.22.12~dfsg-1~deb11u5 or later

Is CVE-2024-27982 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 18.20.1-r0
• from 0, < 18.20.1, >= 19.0.0, < 20.12.1, >= 21.0.0, < 21.7.2
• from 0, < 18.20.1, >= 19.0.0, < 20.12.1, >= 21.0.0, < 21.7.2
• from 0, < 12.22.12~dfsg-1~deb11u5

CVSS scores

References (12)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-27982
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-27982
• WEBgithub.com/nodejs/node/releases/tag/v18.20.1
• WEBgithub.com/nodejs/node/releases/tag/v20.12.1
• WEB