HIGH · CVSS 7.5
CVE-2025-27210 — Node.js HTTP request-smuggling
Node's HTTP parser accepted whitespace between Content-Length and its value, enabling request-smuggling attacks through intermediaries that parse the header strictly.
Affects
- Node.js 20 < 20.18.3
- Node.js 22 < 22.14.0
What an attacker does
An attacker sends a request with whitespace tricks in the Content-Length header. The reverse proxy and Node.js disagree on where one request ends and the next begins. The attacker's request body is interpreted as a second request against a different user's session.
How to detect
node --version on each deployed worker. Upgrade if below the patched minor.
How to fix
Upgrade to Node.js 20.18.3 / 22.14.0 or later. Your CDN / ingress may also need an update depending on vendor.
How Securie catches it
Securie's runtime detector flags deployed Node versions in your package manifest + Docker image.