CVE-2019-15605: XSS
Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.
Downloads & release details
Node.js v10.19.0 (LTS) - https://nodejs.org/en/blog/release/v10.19.0/ Node.js v12.15.0 (LTS) - https://nodejs.org/en/blog/release/v12.15.0/ Node.js v13.8.0 (LTS) - https://nodejs.org/en/blog/release/v13.8.0/
Other sources
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
— Launchpad
Node.js is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
— IBM
Affected Software
Remediation
Patch Available
Patch Available
Event History
Frequently Asked Questions
What is the vulnerability ID for this Node.js HTTP request smuggling vulnerability?
The vulnerability ID for this Node.js HTTP request smuggling vulnerability is CVE-2019-15605.
What is the severity of CVE-2019-15605?
CVE-2019-15605 has a severity level of high.
Which versions of Node.js are affected by CVE-2019-15605?
Versions 10, 12, and 13 of Node.js are affected by CVE-2019-15605.
What is the potential impact of CVE-2019-15605?
CVE-2019-15605 can allow for malicious payload delivery when the transfer-encoding is malformed, potentially leading to unauthorized access or other security breaches.
How can I fix CVE-2019-15605 in Node.js?
To fix CVE-2019-15605 in Node.js, you should update to the recommended versions provided by the relevant software sources.