CVE-2019-15605
📋 TL;DR
CVE-2019-15605 is an HTTP request smuggling vulnerability in Node.js that allows attackers to bypass security controls and deliver malicious payloads by sending malformed Transfer-Encoding headers. This affects Node.js 10, 12, and 13 versions when handling HTTP requests. Applications using these Node.js versions as HTTP servers are vulnerable to request smuggling attacks.
💻 Affected Systems
- Node.js
📦 What is this software?
Fedora by Fedoraproject
Graalvm by Oracle
Graalvm by Oracle
Leap by Opensuse
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security controls, poison caches, hijack user sessions, steal credentials, or perform cross-site scripting attacks by smuggling malicious requests through front-end proxies.
Likely Case
Request smuggling leading to cache poisoning, session hijacking, or credential theft in applications behind load balancers or reverse proxies.
If Mitigated
Limited impact with proper input validation and updated Node.js versions, though some risk remains if other vulnerable components are present.
🎯 Exploit Status
Exploitation requires understanding of HTTP request smuggling techniques and the ability to send malformed HTTP requests to vulnerable servers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js 10.17.0, 12.13.1, 13.0.1 or later
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/november-2019-security-releases/
Restart Required: Yes
Instructions:
1. Identify Node.js version using 'node --version'. 2. If version is 10.x (<10.17.0), 12.x (<12.13.1), or 13.x (<13.0.1), upgrade to patched version. 3. Update package.json dependencies. 4. Restart all Node.js applications and services.
🔧 Temporary Workarounds
HTTP Header Validation
allImplement middleware to validate and normalize Transfer-Encoding headers before processing requests
Use Reverse Proxy with Strict Parsing
allDeploy a reverse proxy (nginx, Apache) with strict HTTP parsing that rejects malformed Transfer-Encoding headers
🧯 If You Can't Patch
- Implement WAF rules to block requests with malformed Transfer-Encoding headers
- Monitor for unusual HTTP request patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Node.js version with 'node --version'. If version is 10.x (<10.17.0), 12.x (<12.13.1), or 13.x (<13.0.1), system is vulnerable.Check Version:
node --versionVerify Fix Applied:
After patching, verify version is 10.17.0+, 12.13.1+, or 13.0.1+ using 'node --version'. Test with HTTP requests containing malformed Transfer-Encoding headers.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP request patterns
- Multiple requests from single connection with different content lengths
- Requests with malformed Transfer-Encoding headers
Network Indicators:
- HTTP requests with conflicting Content-Length and Transfer-Encoding headers
- Requests with obfuscated Transfer-Encoding values
SIEM Query:
source="web_server" AND (http_header="Transfer-Encoding" AND http_header_value="chunked, chunked" OR http_header_value="chunked\r\nTransfer-Encoding: chunked")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- https://access.redhat.com/errata/RHSA-2020:0703
- https://access.redhat.com/errata/RHSA-2020:0707
- https://access.redhat.com/errata/RHSA-2020:0708
- https://hackerone.com/reports/735748
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- https://access.redhat.com/errata/RHSA-2020:0703
- https://access.redhat.com/errata/RHSA-2020:0707
- https://access.redhat.com/errata/RHSA-2020:0708
- https://hackerone.com/reports/735748
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
