CVE-2024-27982

EPSS 0.17%
Veröffentlicht 07.05.2024 17:15:07
Zuletzt bearbeitet 19.04.2025 01:15:43
Quelle support@hackerone.com
Teams Watchlist Login
Unerledigt Login

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellernodejs

≫

Produkt node.js

Default Statusunknown

Version 20.12.0, 21.7.2, 18.20.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.385

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
support@hackerone.com	6.5	3.9	2.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://hackerone.com/reports/2237099

https://security.netapp.com/advisory/ntap-20250418-0001/

https://nvd.nist.gov/vuln/detail/CVE-2024-27982

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27982

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27982

EUVD