CVE-2016-2216
N/A
N/A
Summary
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-root-cause-analysis/
- http://packetstormsecurity.com/files/135711/Node.js-HTTP-Response-Splitting.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177673.html
- https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
- http://www.securityfocus.com/bid/83141
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html
- https://security.gentoo.org/glsa/201612-43
- http://info.safebreach.com/hubfs/Node-js-Response-Splitting.pdf
References
- http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-root-cause-analysis/
- http://packetstormsecurity.com/files/135711/Node.js-HTTP-Response-Splitting.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177673.html
- https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
- http://www.securityfocus.com/bid/83141
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html
- https://security.gentoo.org/glsa/201612-43
- http://info.safebreach.com/hubfs/Node-js-Response-Splitting.pdf
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.