Medium severity6.1NVD Advisory· Published Oct 10, 2016· Updated May 6, 2026

CVE-2016-5325

Description

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nodejs/node/commit/c0f13e56a20f9bde5a67d873a7f9564487160762nvdIssue TrackingPatch
nodejs.org/en/blog/vulnerability/september-2016-security-releases/nvdPatchVendor Advisory
lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.htmlnvdThird Party Advisory
rhn.redhat.com/errata/RHSA-2017-0002.htmlnvd
www.securityfocus.com/bid/93483nvd
access.redhat.com/errata/RHSA-2016:2101nvd
security.gentoo.org/glsa/201612-43nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000