CVE-2016-2216

Name of the Vulnerable Software and Affected Versions Node.js versions 0.10.x before 0.10.42 Node.js versions 0.11.6 through 0.11.16 Node.js versions 0.12.x before 0.12.10 Node.js versions 4.x before 4.3.0 Node.js versions 5.x before 5.6.0

Description The issue allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header. This can be demonstrated by using characters such as %c4%8d%c4%8a.

Recommendations For Node.js versions 0.10.x before 0.10.42, update to version 0.10.42 or later. For Node.js versions 0.11.6 through 0.11.16, update to a version outside of this range, such as version 0.11.17 or later. For Node.js versions 0.12.x before 0.12.10, update to version 0.12.10 or later. For Node.js versions 4.x before 4.3.0, update to version 4.3.0 or later. For Node.js versions 5.x before 5.6.0, update to version 5.6.0 or later.