CVE-2013-7370
Description
Reflected XSS in node-connect's methodOverride middleware before 2.8.1 allows attackers to inject arbitrary JavaScript via crafted HTTP headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in node-connect's methodOverride middleware before 2.8.1 allows attackers to inject arbitrary JavaScript via crafted HTTP headers.
Vulnerability
Overview CVE-2013-7370 is a reflected cross-site scripting (XSS) vulnerability in the methodOverride middleware of the Sencha Labs Connect module for Node.js, affecting versions prior to 2.8.1 [1][2]. The middleware allows overriding the HTTP method (e.g., POST to PUT) via the X-HTTP-Method-Override header. Due to insufficient input sanitization, an attacker can inject arbitrary JavaScript code into the response by sending a crafted header value, which is then reflected back to the user without proper escaping [3].
Exploitation
To exploit this vulnerability, an attacker must trick a victim into making a request to a vulnerable application that uses the methodOverride middleware. The attacker can embed malicious JavaScript in the X-HTTP-Method-Override header, which the middleware reflects in the response. No authentication is required, and the attack can be performed remotely over HTTP. The vulnerability is classified as reflected XSS, meaning the payload is executed in the context of the victim's browser when they interact with the crafted link or request [2][3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, data theft, or defacement of the web application. The impact is limited to the user's session and the application's origin, but it can be used to perform actions on behalf of the victim if the application trusts the session [2][3].
Mitigation
The vulnerability was fixed in node-connect version 2.8.1, released in July 2013 [3][4]. Users should upgrade to version 2.8.1 or later. The fix involved proper sanitization of the X-HTTP-Method-Override header value before reflecting it. No workarounds are documented, but disabling the methodOverride middleware or applying input validation can reduce risk. The CVE was assigned in 2014 after public disclosure [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
connectnpm | < 2.8.1 | 2.8.1 |
Affected products
2- node-connect/node-connectdescription
Patches
2126187c4e121add whitelisting of supported methods to methodOverride()
3 files changed · +77 −8
lib/middleware/methodOverride.js+25 −6 modified@@ -6,11 +6,17 @@ * MIT Licensed */ +/** + * Module dependencies. + */ + +var methods = require('methods'); + /** * Method Override: - * + * * Provides faux HTTP method support. - * + * * Pass an optional `key` to use when checking for * a method override, othewise defaults to _\_method_. * The original method is available via `req.originalMethod`. @@ -23,18 +29,31 @@ module.exports = function methodOverride(key){ key = key || "_method"; return function methodOverride(req, res, next) { + var method; req.originalMethod = req.originalMethod || req.method; // req.body if (req.body && key in req.body) { - req.method = req.body[key].toUpperCase(); + method = req.body[key].toLowerCase(); delete req.body[key]; + } + // check X-HTTP-Method-Override - } else if (req.headers['x-http-method-override']) { - req.method = req.headers['x-http-method-override'].toUpperCase(); + if (req.headers['x-http-method-override']) { + method = req.headers['x-http-method-override'].toLowerCase(); } - + + // replace + if (supports(method)) req.method = method.toUpperCase(); + next(); }; }; +/** + * Check if node supports `method`. + */ + +function supports(method) { + return ~methods.indexOf(method); +}
package.json+9 −2 modified@@ -2,7 +2,13 @@ "name": "connect", "version": "2.8.1", "description": "High performance middleware framework", - "keywords": ["framework", "web", "middleware", "connect", "rack"], + "keywords": [ + "framework", + "web", + "middleware", + "connect", + "rack" + ], "repository": "git://github.com/senchalabs/connect.git", "author": "TJ Holowaychuk <tj@vision-media.ca> (http://tjholowaychuk.com)", "dependencies": { @@ -16,7 +22,8 @@ "fresh": "0.1.0", "pause": "0.0.1", "uid2": "0.0.2", - "debug": "*" + "debug": "*", + "methods": "0.0.1" }, "devDependencies": { "should": "*",
test/methodOverride.js+43 −0 added@@ -0,0 +1,43 @@ + +var connect = require('../'); + +var app = connect(); + +app.use(connect.bodyParser()); +app.use(connect.methodOverride()); + +app.use(function(req, res){ + res.end(req.method); +}); + +describe('connect.methodOverride()', function(){ + it('should not touch the method by default', function(done){ + app.request() + .get('/') + .expect('GET', done); + }) + + it('should support req.body._method', function(done){ + app.request() + .post('/') + .set('Content-Type', 'application/x-www-form-urlencoded') + .write('_method=DELETE') + .expect('DELETE', done); + }) + + it('should be case in-sensitive', function(done){ + app.request() + .post('/') + .set('Content-Type', 'application/x-www-form-urlencoded') + .write('_method=delete') + .expect('DELETE', done); + }) + + it('should ignore invalid methods', function(done){ + app.request() + .post('/') + .set('Content-Type', 'application/x-www-form-urlencoded') + .write('_method=<whatever>') + .expect('POST', done); + }) +})
277e5aad6a95fix: escape req.method in 404 response
1 file changed · +4 −4
lib/proto.js+4 −4 modified@@ -152,7 +152,7 @@ app.handle = function(req, res, out) { res.statusCode = 404; res.setHeader('Content-Type', 'text/plain'); if ('HEAD' == req.method) return res.end(); - res.end('Cannot ' + req.method + ' ' + utils.escape(req.originalUrl)); + res.end('Cannot ' + utils.escape(req.method) + ' ' + utils.escape(req.originalUrl)); } return; } @@ -202,7 +202,7 @@ app.handle = function(req, res, out) { * Listen for connections. * * This method takes the same arguments - * as node's `http.Server#listen()`. + * as node's `http.Server#listen()`. * * HTTP and HTTPS: * @@ -214,9 +214,9 @@ app.handle = function(req, res, out) { * var connect = require('connect') * , http = require('http') * , https = require('https'); - * + * * var app = connect(); - * + * * http.createServer(app).listen(80); * https.createServer(options, app).listen(443); *
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-3fw8-66wf-pr7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-7370ghsaADVISORY
- www.openwall.com/lists/oss-security/2014/04/21/2ghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2014/05/13/1ghsax_refsource_MISCWEB
- access.redhat.com/security/cve/cve-2013-7370ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- bugzilla.suse.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93aghsaWEB
- github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135ghsaWEB
- github.com/senchalabs/connect/issues/831ghsaWEB
- nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scriptingmitrex_refsource_MISC
- security-tracker.debian.org/tracker/CVE-2013-7370ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/3ghsaWEB
News mentions
0No linked articles in our index yet.