Zeyu Zhang

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.17.12 Go versions prior to 1.18.4 **Description** The issue arises from the acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http. This can lead to HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. **Recommendations** For Go versions prior to 1.17.12, update to version 1.17.12 or later. For Go versions prior to 1.18.4, update to version 1.18.4 or later.

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to 14.20.1 Node.js versions prior to 16.17.1 Node.js versions prior to 18.9.1 **Description** The issue arises from the llhttp parser in the http module in Node.js, which does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). All versions of the nodejs 18.x, 16.x, and 14.x release lines are impacted. **Recommendations** For Node.js versions prior to 14.20.1, update to version 14.20.1 or later. For Node.js versions prior to 16.17.1, update to version 16.17.1 or later. For Node.js versions prior to 18.9.1, update to version 18.9.1 or later. As a temporary workaround, consider restricting access to the `http` module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to 14.20.1 Node.js versions prior to 16.17.1 Node.js versions prior to 18.9.1 **Description** The issue arises from the llhttp parser in the http module of Node.js not correctly handling multi-line Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS). **Recommendations** For versions prior to 14.20.1, update to version 14.20.1 or later. For versions prior to 16.17.1, update to version 16.17.1 or later. For versions prior to 18.9.1, update to version 18.9.1 or later.

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to 14.20.1 Node.js versions prior to 16.17.1 Node.js versions prior to 18.9.1 **Description** The issue is related to the llhttp parser in the http module in Node.js, which does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS), allowing a remote attacker to perform an attack. The LF character (without CR) is sufficient to delimit HTTP header fields in the llhttp parser, which contradicts RFC7230 section 3 that states only the CRLF sequence should delimit each header-field. **Recommendations** For versions prior to 14.20.1, update to version 14.20.1 or later. For versions prior to 16.17.1, update to version 16.17.1 or later. For versions prior to 18.9.1, update to version 18.9.1 or later.

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to 14.20.0 Node.js versions prior to 16.20.0 Node.js versions prior to 18.5.0 **Description** A OS Command Injection vulnerability exists in Node.js due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests, allowing rebinding attacks. The vulnerability is related to the IsIPAddress function, which lacks input validation measures. This allows a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For versions prior to 14.20.0, update to version 14.20.0 or later. For versions prior to 16.20.0, update to version 16.20.0 or later. For versions prior to 18.5.0, update to version 18.5.0 or later.