Node.js: HTTP Request Splitting protection only works halfway

Research by Martino Spagnuolo shows a limitation in the fix for CVE-2018-12116 (HTTP Request Splitting). Node.js validates the HTTP request path for CRLF characters only once — when the request object is created. However, some libraries allow the request path to be modified later through library hooks or middleware, and this change is not revalidated.

As a result, an attacker may introduce CRLF sequences after the initial check, potentially leading to HTTP request splitting. Node.js maintainers do not classify this behavior as a vulnerability, but the article provides a detailed analysis and proof-of-concept exploitation.

Vulnerable libraries: node-http-proxy, http-proxy-middleware, http-proxy-3 (Vite), httpxy (Nitro/Nuxt), superagent, request, @hapi/wreck

📎 Article: https://r3verii.github.io/cve/2026/02/27/nodejs-toctou.html

💬 Discuss