Important Update Node.js to 18.20.1, 20.12.1, 21.7.2 or newer

https://blog.svrjs.org/2024/04/03/IMPORTANT-Update-Node-JS-to-18-20-1-20-12-1-21-7-2-or-newer/

IMPORTANT! Update Node.JS to 18.20.1, 20.12.1, 21.7.2 or newer!

Published on: April 3, 2024

IMPORTANT! Update Node.JS to 18.20.1, 20.12.1, 21.7.2 or newer!

Older versions of Node.JS had a CVE-2024-27982 vulnerability, which involves placing a space before Content-Length header, enabling attackers to smuggle in a second request.

The original vulnerability description:

The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Future SVR.JS versions will warn you about this vulnerability in server logs, if you're running affected versions of Node.JS.

{
"by": "dorianniemiec",
"descendants": 0,
"id": 40232990,
"kids": [
40233125
],
"score": 5,
"time": 1714627727,
"title": "Important Update Node.js to 18.20.1, 20.12.1, 21.7.2 or newer",
"type": "story",
"url": "https://blog.svrjs.org/2024/04/03/IMPORTANT-Update-Node-JS-to-18-20-1-20-12-1-21-7-2-or-newer/"
}
{
"author": null,
"date": null,
"description": "IMPORTANT! Update Node.JS to 18.20.1, 20.12.1, 21.7.2 or newer!",
"image": "https://cdn.sanity.io/images/ihdlodfv/production/8599aaf874cdc2b1857cb0b59fe996abebcc0b33-1920x1080.png",
"logo": null,
"publisher": "SVR.JS",
"title": "IMPORTANT! Update Node.JS to 18.20.1, 20.12.1, 21.7.2 or newer! - SVR.JS",
"url": "https://svrjs.org/blog/IMPORTANT-Update-Node-JS-to-18-20-1-20-12-1-21-7-2-or-newer"
}
{
"url": "https://svrjs.org/blog/IMPORTANT-Update-Node-JS-to-18-20-1-20-12-1-21-7-2-or-newer",
"title": "IMPORTANT! Update Node.JS to 18.20.1, 20.12.1, 21.7.2 or newer! - SVR.JS",
"description": "Published on: April 3, 2024IMPORTANT! Update Node.JS to 18.20.1, 20.12.1, 21.7.2 or newer!Older versions of Node.JS had a CVE-2024-27982 vulnerability, which involves placing a space before Content-Length...",
"links": [
"https://svrjs.org/blog/IMPORTANT-Update-Node-JS-to-18-20-1-20-12-1-21-7-2-or-newer",
"https://blog.svrjs.org/2024/04/03/IMPORTANT-Update-Node-JS-to-18-20-1-20-12-1-21-7-2-or-newer/"
],
"image": "https://cdn.sanity.io/images/ihdlodfv/production/8599aaf874cdc2b1857cb0b59fe996abebcc0b33-1920x1080.png",
"content": "<div><p><img alt=\"IMPORTANT! Update Node.JS to 18.20.1, 20.12.1, 21.7.2 or newer!\" srcset=\"https://svrjs.org/_next/image?url=https%3A%2F%2Fcdn.sanity.io%2Fimages%2Fihdlodfv%2Fproduction%2F8599aaf874cdc2b1857cb0b59fe996abebcc0b33-1920x1080.png&amp;w=1200&amp;q=75 1x, https://svrjs.org/_next/image?url=https%3A%2F%2Fcdn.sanity.io%2Fimages%2Fihdlodfv%2Fproduction%2F8599aaf874cdc2b1857cb0b59fe996abebcc0b33-1920x1080.png&amp;w=3840&amp;q=75 2x\" src=\"https://svrjs.org/_next/image?url=https%3A%2F%2Fcdn.sanity.io%2Fimages%2Fihdlodfv%2Fproduction%2F8599aaf874cdc2b1857cb0b59fe996abebcc0b33-1920x1080.png&amp;w=3840&amp;q=75\" /></p><p>Published on: April 3, 2024</p></div><article><p><strong>IMPORTANT! Update Node.JS to 18.20.1, 20.12.1, 21.7.2 or newer!</strong></p><p>Older versions of Node.JS had a <a target=\"_blank\" href=\"https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#http-request-smuggling-via-content-length-obfuscation---cve-2024-27982---medium\">CVE-2024-27982 vulnerability</a>, which involves placing a space before <em>Content-Length</em> header, enabling attackers to smuggle in a second request.</p><p>The original vulnerability description:</p><p><em>The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.</em></p><p>Future SVR.JS versions will warn you about this vulnerability in server logs, if you're running affected versions of Node.JS.</p></article>",
"author": "@SVR_JS",
"favicon": "https://svrjs.org/favicon.ico",
"source": "svrjs.org",
"published": "",
"ttr": 23,
"type": "website"
}