The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "libnode-dev" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "libnode115" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "libnode115-dbgsym" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "nodejs" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "nodejs-dbgsym" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "nodejs-doc" } ] }