131 matches found
Header Injection
aiohttp is vulnerable to Header Injection. The vulnerability is due to the C parser llhttp accepting null bytes and control characters in response header values, where crafted header values containing these characters can be interpreted differently by the application or downstream proxies,...
CVE-2026-34520
CVE-2026-34520 affects the aiohttp project. Prior to version 3.13.4, the C parser (llhttp, default for most installs) accepted null bytes and control characters in response header values, enabling header-related issues. The issue has been patched in aiohttp 3.13.4. Per connected sources, the vuln...
EUVD-2022-38147
Malicious code in bioql PyPI...
EUVD-2023-2033
Malicious code in bioql PyPI...
BIT-NODE-MIN-2022-32213
The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...
BIT-NODE-MIN-2022-32214
The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS...
BIT-NODE-MIN-2022-32215
The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS...
BIT-NODE-MIN-2022-35256
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...
BIT-NODE-MIN-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
python-aiohttp: HTTP request smuggling via llhttp HTTP request parser
A flaw was found in aio-libs aiohttp, where it is vulnerable to HTTP request smuggling, caused by a flaw in the aiohttp.web.Application. By sending a specially crafted HTTPS request, an attacker can poison the web cache, bypass web application firewall protection, and conduct Cross-site scripting...
python-aiohttp: HTTP request smuggling via llhttp HTTP request parser
A flaw was found in aio-libs aiohttp, where it is vulnerable to HTTP request smuggling, caused by a flaw in the aiohttp.web.Application. By sending a specially crafted HTTPS request, an attacker can poison the web cache, bypass web application firewall protection, and conduct Cross-site scripting...
BIT-NODE-2022-32213
The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...
BIT-NODE-2022-32215
The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS...
BIT-NODE-2022-35256
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...
BIT-NODE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
Ubuntu 18.04 ESM / 20.04 LTS / 22.04 LTS : Node.js vulnerabilities (USN-6491-1)
The remote Ubuntu 18.04 ESM / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6491-1 advisory. Axel Chong discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening...
nodejs: HTTP Request Smuggling via Empty headers separated by CR
A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS...
nodejs: HTTP Request Smuggling via Empty headers separated by CR
A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS...
OESA-2023-1551 nodejs security update
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...
SUSE SLES15 / openSUSE 15 Security Update : nodejs12 (SUSE-SU-2023:3455-1)
The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3455-1 advisory. - A privilege escalation vulnerability exists in Node.js 19.6.1, 18.14.1, 16.19.1 and 14.21.3 that made it possible t...