PT-2020-5068 · Node.Js+6 · Node.Js+6
Published
2020-09-16
·
Updated
2026-05-18
·
CVE-2020-8201
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Node.js versions prior to 12.18.4
Node.js versions prior to 14.11
Description
The issue is related to an error in processing HTTP header names, which can be exploited by a remote attacker to gain access to protected information or elevate privileges. This can lead to HTTP desync attacks, allowing malicious payloads to be delivered to users. These payloads can be crafted to hijack user sessions, poison cookies, or perform clickjacking, among other attacks, depending on the system architecture. The attack is possible due to a bug in processing carrier-return symbols in HTTP header names.
Recommendations
For Node.js versions prior to 12.18.4, update to version 12.18.4 or later to resolve the issue.
For Node.js versions prior to 14.11, update to version 14.11 or later to resolve the issue.
As a temporary workaround, consider restricting access to sensitive information and implementing additional security measures to minimize the risk of session hijacking and other attacks.
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Node.Js
Red Hat
Rocky Linux
Suse