HIGH · CVSS 7.5
CVE-2024-27982 — Node.js HTTP request-smuggling via space in Content-Length
Node.js's HTTP parser accepted a space between the Content-Length header value and its name, enabling request-smuggling attacks through misaligned reverse proxies.
Affects
- Node.js 18 < 18.20.0
- Node.js 20 < 20.12.0
- Node.js 21 < 21.7.2
What an attacker does
The attacker crafts a request with whitespace in the Content-Length header. The reverse proxy and Node.js disagree on request boundaries. The attacker's payload is interpreted as a second request against another user's session.
How to detect
`node --version` on deployed workers; upgrade if below the patched minor.
How to fix
Upgrade Node.js.
How Securie catches it
Securie's runtime detector reads your package manifest + Docker base image.