PT-2024-2958 · Node.Js+9 · Node.Js+9

Bpingel

·

Published

2024-04-03

·

Updated

2026-05-18

·

CVE-2024-27982

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Node.js versions prior to the fixed version
Description The issue is related to insufficient handling of HTTP requests in the Node.js platform, allowing a remote attacker to send a hidden HTTP request, known as an HTTP Request Smuggling attack. This can occur when malformed headers are sent, specifically if a space is placed before a content-length header, which is not interpreted correctly. This enables attackers to smuggle in a second request within the body of the first.
Recommendations For Node.js versions prior to the fixed version, consider disabling the HTTP server functionality until a patch is available. Restrict access to the HTTP server to minimize the risk of exploitation. Avoid using malformed headers, specifically those with a space before a content-length header, in the affected HTTP server until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

HTTP Request/Response Smuggling

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2024:2778
ALSA-2024:2779
ALSA-2024:2780
ALSA-2024:2853
ALSA-2024:2910
ALT-PU-2024-5094
ALT-PU-2025-2007
ALT-PU-2025-2047
AZL-40349
AZL-40352
BDU:2024-03125
BIT-NODE-2024-27982
BIT-NODE-MIN-2024-27982
CESA-2024_2778
CESA-2024_2780
CLEANSTART-2026-BD71263
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LJ44720
CLEANSTART-2026-LN12820
CLEANSTART-2026-TX00223
CLEANSTART-2026-WI75198
CVE-2024-27982
DLA-3886-1
DSA-5991-1
ECHO-6B08-F4B2-DB87
INFSA-2024_2779
INFSA-2024_2853
INFSA-2024_2910
MGASA-2024-0110
OESA-2024-2171
OESA-2024-2172
OESA-2024-2173
OESA-2024-2174
OESA-2024-2175
OPENSUSE-SU-2024:13851-1
OPENSUSE-SU-2024:13852-1
OPENSUSE-SU-2024_1301-1
OPENSUSE-SU-2024_1306-1
OPENSUSE-SU-2024_1308-1
OPENSUSE-SU-2024_1309-1
RHSA-2024:2778
RHSA-2024:2779
RHSA-2024:2780
RHSA-2024:2853
RHSA-2024:2910
RHSA-2024:3545
RHSA-2024:4559
RHSA-2024_2778
RHSA-2024_2779
RHSA-2024_2780
RHSA-2024_2853
RHSA-2024_2910
RLSA-2024:2778
RLSA-2024:2779
RLSA-2024:2780
RLSA-2024:2853
RLSA-2024:2910
SUSE-SU-2024:1301-1
SUSE-SU-2024:1305-1
SUSE-SU-2024:1306-1
SUSE-SU-2024:1307-1
SUSE-SU-2024:1308-1
SUSE-SU-2024:1309-1
SUSE-SU-2024:1346-1
SUSE-SU-2024:1355-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Node.Js
Red Hat
Red Os
Rocky Linux
Suse