CVE-2024-27982
📋 TL;DR
This vulnerability in Node.js HTTP server allows HTTP request smuggling when a space precedes the Content-Length header. Attackers can inject a second request within the first request's body, potentially bypassing security controls. All systems running vulnerable Node.js versions with HTTP servers are affected.
💻 Affected Systems
- Node.js
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass authentication, access control, or web application firewalls to perform privilege escalation, data theft, or server-side request forgery.
Likely Case
Attackers could bypass security filters, cache poisoning, or perform session hijacking through request smuggling.
If Mitigated
With proper WAF configuration and request validation, impact is limited to potential request parsing anomalies.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with malformed headers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js 20.11.1, 18.19.1
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/
Restart Required: Yes
Instructions:
1. Check current Node.js version with 'node --version'. 2. Update using package manager: 'npm install -g n' then 'n 20.11.1' or 'n 18.19.1'. 3. Restart all Node.js applications and services.
🔧 Temporary Workarounds
Request Header Validation
allImplement middleware to validate and normalize HTTP headers before processing
// Example Express middleware:
app.use((req, res, next) => {
const headers = req.headers;
Object.keys(headers).forEach(key => {
if (key.includes('content-length') && headers[key].startsWith(' ')) {
headers[key] = headers[key].trim();
}
});
next();
});
🧯 If You Can't Patch
- Deploy a web application firewall (WAF) with HTTP request smuggling protection rules
- Implement reverse proxy with strict HTTP header validation and normalization
🔍 How to Verify
Check if Vulnerable:
Check if Node.js version is between 20.0.0-20.11.0 or 18.0.0-18.19.0Check Version:
node --versionVerify Fix Applied:
Verify Node.js version is 20.11.1 or 18.19.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP 400 responses
- Requests with malformed Content-Length headers
- Multiple requests appearing as single request in logs
Network Indicators:
- HTTP requests with spaces before Content-Length header
- Unexpected request smuggling patterns
SIEM Query:
source="web_server" AND (http_header=" content-length" OR http_header="Content-Length ")🔗 References
- https://hackerone.com/reports/2237099
- https://hackerone.com/reports/2237099
- https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QJAKA33NJCI3XLQS2K36DRCUMWIFFYVU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4M5XZZONMS4DAZE3CNDFDRSB6JQCL6Y/
- https://security.netapp.com/advisory/ntap-20250418-0001/
