HTTP Request Smuggling Vulnerability in Node.js 

PUBLISHED ON September 27, 2022
LAST UPDATED Sep 27, 2022

Last week, researchers discovered an HTTP request smuggling vulnerability in Node.js. This vulnerability affects all current and recent previous versions of Node.js, and is easy to exploit. This is only the latest in a series of CVEs discovered in the very popular Node.js in recent months. 

The full list of CVEs addressed by the most recent release can be found here: 

What Is HTTP Request Smuggling? 

HTTP request smuggling involves interfering with the way HTTP servers process HTTP requests. If a server is vulnerable to HTTP request smuggling, it will forward irregular HTTP requests to the back end. 

Considered a critical vulnerability, HTTP request smuggling could allow an attacker to bypass security controls on the target server. 

How to Address the Node.js Vulnerability 

Updating node.js to the most recent version is the best course of action. New security releases are now available for 18.x, 16.x, and 14x release lines. 

ThreatX Response to Node.js Vulnerability 

The ThreatX SOC addressed this vulnerability by testing WAF functionality, and writing several rules to help monitor for this attack. The team is keeping a close eye on this space. 

If you have questions or need more information, please contact us

About the Author

Neil Weitzel

Neil is the Manager of the ThreatX Security Operations Center and is located in Boston, MA. He has 15 years of experience working in various roles, from user support to leading security programs. Neil has profound experience in security architecture and cybersecurity best practices, which helps him provide valuable insight to security teams. Before ThreatX, Neil worked with organizations such as Cognizant as an Application Security Architect, Cigital (now Synopsys) as their Practice Director of Vulnerability Assessments, and EIQ Networks (now Cygilant) as their Director of Security Research. Neil also served as a Cybersecurity Instructor and delivered numerous Security and Defensive Programming courses to various clients such as NASA and PayPal. He is an active member of the security community and has delivered lectures at DEF CON, OWASP and local security meetups. Neil also acts as an adjunct lecturer on Software Engineering at his alma mater, Indiana University.