RUSTSEC-2021-0020 Multiple Transfer-Encoding headers misinterprets request payload

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can...

Amazon Linux 2 : libuv (ALAS-2021-1581)

The version of libuv installed on the remote host is prior to 1.39.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1581 advisory. Node.js 12.18.4 and 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting...

Oracle Linux 8 : nodejs:12 (ELSA-2020-4272)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-4272 advisory. nodejs 1:12.18.4-2 - Resolves: RHBZ1883966 - nodejs-devel not installable due to missing brotli - Some spec fixes 12.18.4-1 - Rebase to 12.18.4...

Design/Logic Flaw

Node.js 12.18.4 and 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture ...

CVE-2020-8201

Node.js 12.18.4 and 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture ...

CVE-2020-8201

CVE-2020-8201 – Node.js HTTP header processing issue : Affects Node.js versions < 12.18.4 and

FreeBSD : Node.js -- multiple vulnerabilities (0032400f-624f-11ea-b495-000d3ab229d6)

Node.js reports : Updates are now available for all active Node.js release lines for the following issues. HTTP request smuggling using malformed Transfer-Encoding header Critical CVE-2019-15605HTTP request smuggling using malformed Transfer-Encoding header Critical CVE-2019-15605 Affected Node.j...

LY Corporation: Request smuggling on admin-official.line.me could lead to account takeover

The reporter identified a request smuggling issue on admin-official.line.me TE.CL-type. The reporter clearly illustrated the impact without putting our users at risk or affecting the stability of our service. For this we would like to thank @shaolintw! This issue was the result of how our load...

HTTP Request Smuggler - Extension For Burp Suite Designed To Help You Launch HTTP Request Smuggling Attacks

This is an extension for Burp Suite designed to help you launch HTTP Request Smuggling attacks, originally created during HTTP Desync Attacks research. It supports scanning for Request Smuggling vulnerabilities and also aids exploitation by handling cumbersome offset-tweaking for you. Install The...