Moderate severityNVD Advisory· Published Dec 11, 2019· Updated Aug 6, 2024

CVE-2013-7371

Description

node-connect before 2.8.2 has a reflected XSS in methodOverride middleware due to incomplete fix of CVE-2013-7370.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

node-connect before 2.8.2 has a reflected XSS in methodOverride middleware due to incomplete fix of CVE-2013-7370.

CVE-2013-7371 is a reflected cross-site scripting (XSS) vulnerability in the methodOverride middleware of the Sencha Labs Connect framework for Node.js. The issue stems from an incomplete fix for CVE-2013-7370, where improper input sanitization allows attackers to inject malicious scripts into HTTP responses [1][4].

Attackers can exploit this by crafting a URL containing the XSS payload. When a user visits the crafted URL, the server reflects the payload back in the response, executing arbitrary JavaScript in the user's browser. No authentication is required, but user interaction (clicking a link) is necessary [4].

Successful exploitation enables attackers to steal session cookies, credentials, or perform actions on behalf of the victim, leading to account compromise or data theft. The vulnerability affects all versions of node-connect prior to 2.8.2 [1][3].

Mitigation is straightforward: upgrade to node-connect version 2.8.2 or later, which contains the complete fix. No workarounds are available [1][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
connectnpm	< 2.8.2	2.8.2

Affected products

ghsa-coords
pkg:npm/connect
Range: < 2.8.2
node-connect/node-connectv5
Range: < 2.8.2

Patches

126187c4e121

add whitelisting of supported methods to methodOverride()

https://github.com/senchalabs/connectTJ HolowaychukJun 27, 2013via ghsa

commit

3 files changed · +77 −8

lib/middleware/methodOverride.js+25 −6 modified

@@ -6,11 +6,17 @@
  * MIT Licensed
  */
 
+/**
+ * Module dependencies.
+ */
+
+var methods = require('methods');
+
 /**
  * Method Override:
- * 
+ *
  * Provides faux HTTP method support.
- * 
+ *
  * Pass an optional `key` to use when checking for
  * a method override, othewise defaults to _\_method_.
  * The original method is available via `req.originalMethod`.
@@ -23,18 +29,31 @@
 module.exports = function methodOverride(key){
   key = key || "_method";
   return function methodOverride(req, res, next) {
+    var method;
     req.originalMethod = req.originalMethod || req.method;
 
     // req.body
     if (req.body && key in req.body) {
-      req.method = req.body[key].toUpperCase();
+      method = req.body[key].toLowerCase();
       delete req.body[key];
+    }
+
     // check X-HTTP-Method-Override
-    } else if (req.headers['x-http-method-override']) {
-      req.method = req.headers['x-http-method-override'].toUpperCase();
+    if (req.headers['x-http-method-override']) {
+      method = req.headers['x-http-method-override'].toLowerCase();
     }
-    
+
+    // replace
+    if (supports(method)) req.method = method.toUpperCase();
+
     next();
   };
 };
 
+/**
+ * Check if node supports `method`.
+ */
+
+function supports(method) {
+  return ~methods.indexOf(method);
+}

package.json+9 −2 modified

@@ -2,7 +2,13 @@
   "name": "connect",
   "version": "2.8.1",
   "description": "High performance middleware framework",
-  "keywords": ["framework", "web", "middleware", "connect", "rack"],
+  "keywords": [
+    "framework",
+    "web",
+    "middleware",
+    "connect",
+    "rack"
+  ],
   "repository": "git://github.com/senchalabs/connect.git",
   "author": "TJ Holowaychuk <tj@vision-media.ca> (http://tjholowaychuk.com)",
   "dependencies": {
@@ -16,7 +22,8 @@
     "fresh": "0.1.0",
     "pause": "0.0.1",
     "uid2": "0.0.2",
-    "debug": "*"
+    "debug": "*",
+    "methods": "0.0.1"
   },
   "devDependencies": {
     "should": "*",

test/methodOverride.js+43 −0 added

@@ -0,0 +1,43 @@
+
+var connect = require('../');
+
+var app = connect();
+
+app.use(connect.bodyParser());
+app.use(connect.methodOverride());
+
+app.use(function(req, res){
+  res.end(req.method);
+});
+
+describe('connect.methodOverride()', function(){
+  it('should not touch the method by default', function(done){
+    app.request()
+    .get('/')
+    .expect('GET', done);
+  })
+
+  it('should support req.body._method', function(done){
+    app.request()
+    .post('/')
+    .set('Content-Type', 'application/x-www-form-urlencoded')
+    .write('_method=DELETE')
+    .expect('DELETE', done);
+  })
+
+  it('should be case in-sensitive', function(done){
+    app.request()
+    .post('/')
+    .set('Content-Type', 'application/x-www-form-urlencoded')
+    .write('_method=delete')
+    .expect('DELETE', done);
+  })
+
+  it('should ignore invalid methods', function(done){
+    app.request()
+    .post('/')
+    .set('Content-Type', 'application/x-www-form-urlencoded')
+    .write('_method=<whatever>')
+    .expect('POST', done);
+  })
+})

277e5aad6a95

fix: escape req.method in 404 response

https://github.com/senchalabs/connectTJ HolowaychukJun 27, 2013via ghsa

commit

1 file changed · +4 −4

lib/proto.js+4 −4 modified

@@ -152,7 +152,7 @@ app.handle = function(req, res, out) {
         res.statusCode = 404;
         res.setHeader('Content-Type', 'text/plain');
         if ('HEAD' == req.method) return res.end();
-        res.end('Cannot ' + req.method + ' ' + utils.escape(req.originalUrl));
+        res.end('Cannot ' + utils.escape(req.method) + ' ' + utils.escape(req.originalUrl));
       }
       return;
     }
@@ -202,7 +202,7 @@ app.handle = function(req, res, out) {
  * Listen for connections.
  *
  * This method takes the same arguments
- * as node's `http.Server#listen()`.  
+ * as node's `http.Server#listen()`.
  *
  * HTTP and HTTPS:
  *
@@ -214,9 +214,9 @@ app.handle = function(req, res, out) {
  *      var connect = require('connect')
  *        , http = require('http')
  *        , https = require('https');
- *      
+ *
  *      var app = connect();
- *      
+ *
  *      http.createServer(app).listen(80);
  *      https.createServer(options, app).listen(443);
  *

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6w62-83g6-rfhjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-7371ghsaADVISORY
www.openwall.com/lists/oss-security/2014/04/21/2ghsax_refsource_MISCWEB
www.openwall.com/lists/oss-security/2014/05/13/1ghsax_refsource_MISCWEB
access.redhat.com/security/cve/cve-2013-7371ghsax_refsource_MISCWEB
exchange.xforce.ibmcloud.com/vulnerabilities/92710ghsax_refsource_MISCWEB
github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93aghsaWEB
github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135ghsaWEB
github.com/senchalabs/connect/issues/831ghsaWEB
nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scriptingghsax_refsource_MISCWEB
security-tracker.debian.org/tracker/CVE-2013-7371ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000