Unrated severityNVD Advisory· Published Jan 6, 2021· Updated Apr 30, 2025
CVE-2020-8287
CVE-2020-8287
Description
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
37- osv-coords35 versionspkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs8&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/nodejs8&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/nodejs8&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/nodejs8&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/nodejs8&distro=SUSE%20Manager%20Server%204.0
>= 10.0.0, < 10.23.1+ 34 more
- (no CPE)range: >= 10.0.0, < 10.23.1
- (no CPE)range: >= 10.0.0, < 10.23.1
- (no CPE)range: < 1.18.3-1.module_el8.3.0+2023+d2377ea3
- (no CPE)range: < 17-3.module_el8.4.0+2224+b07ac28e
- (no CPE)range: < 10.23.1-lp151.2.15.1
- (no CPE)range: < 10.23.1-lp152.2.9.1
- (no CPE)range: < 12.20.1-lp152.3.9.1
- (no CPE)range: < 14.15.4-lp152.5.1
- (no CPE)range: < 14.17.5-1.2
- (no CPE)range: < 8.17.0-lp152.3.8.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.33.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 10.23.1-1.30.1
- (no CPE)range: < 12.20.1-1.26.1
- (no CPE)range: < 12.20.1-4.10.1
- (no CPE)range: < 14.15.4-6.6.1
- (no CPE)range: < 14.15.4-5.6.1
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-10.6.1
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
- (no CPE)range: < 8.17.0-3.42.2
Patches
Vulnerability mechanics
References
10- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/mitrevendor-advisory
- security.gentoo.org/glsa/202101-07mitrevendor-advisory
- www.debian.org/security/2021/dsa-4826mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00009.htmlmitremailing-list
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitre
- hackerone.com/reports/1002188mitre
- nodejs.org/en/blog/vulnerability/january-2021-security-releases/mitre
- security.netapp.com/advisory/ntap-20210212-0003/mitre
- www.oracle.com/security-alerts/cpujan2021.htmlmitre
News mentions
0No linked articles in our index yet.