CVE-2018-7159

Name of the Vulnerable Software and Affected Versions Node.js versions (affected versions not specified)

Description The HTTP parser in Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. This does not align with the HTTP specification, which does not allow for spaces in the Content-Length value. The security risk of this flaw is considered to be very low, as it is difficult to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for Content-Length. However, vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied.

Recommendations For all affected versions, users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete. At the moment, there is no information about a newer version that contains a fix for this vulnerability.