FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Node.js -- October 2021 Security Releases

Affected packages
node < 16.11.1
node14 < 14.18.1

Details

VuXML ID a9c5e89d-2d15-11ec-8363-0022489ad614
Discovery 2021-10-12
Entry 2021-10-14

Node.js reports:

HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)

The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)

The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

References

CVE Name CVE-2021-22959
CVE Name CVE-2021-22960
URL https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/