CVE-2018-7159

nodejs: HTTP parser allowed for spaces inside Content-Length header values

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.

El analizador HTTP en todas las versiones actuales de Node.js ignora los espacios en la cabecera "Content-Length", permitiendo que entradas como `Content-Length: 1 2" se interpreten con un valor de "12". La especificación HTTP no permite los espacios en el valor "Content-Length" y se ha destacado el analizador HTTP de Node.js con respecto a esta diferencia en concreto. El riesgo de seguridad de este error para los usuarios de Node.js se considera MUY BAJO, ya que es difícil (y tal vez imposible) manipular un ataque que haga uso de este error de forma que no se pueda lograr ya proporcionando un valor incorrecto para "Content-Length". Podrían existir vulnerabilidades en el código de usuario que realizan asunciones incorrectas sobre la precisión potencial de este valor comparado con la longitud total de los datos proporcionados. Se recomienda que los usuarios de Node.js que manipulan utilidades HTTP de bajo nivel vuelvan a comprobar la longitud de cualquier entrada proporcionada una vez se ha completado el análisis.

It was found that the http module from Node.js could accept incorrect Content-Length values, containing spaces within the value, in HTTP headers. A specially crafted client could use this flaw to possibly confuse the script, causing unspecified behavior.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-02-15 CVE Reserved
2018-05-17 CVE Published
2023-11-08 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-115: Misinterpretation of Input

CAPEC

References (5)

URL	Tag	Source
https://support.f5.com/csp/article/K27228191?utm_source=f5support&amp%3Butm_medium=RSS	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:2258	2023-11-07
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases	2023-11-07
https://access.redhat.com/security/cve/CVE-2018-7159	2019-08-06
https://bugzilla.redhat.com/show_bug.cgi?id=1561981	2019-08-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 4.0.0 <= 4.1.2 Search vendor "Nodejs" for product "Node.js" and version " >= 4.0.0 <= 4.1.2"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 4.2.0 < 4.9.0 Search vendor "Nodejs" for product "Node.js" and version " >= 4.2.0 < 4.9.0"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 6.0.0 <= 6.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 6.0.0 <= 6.8.1"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 6.9.0 < 6.14.0 Search vendor "Nodejs" for product "Node.js" and version " >= 6.9.0 < 6.14.0"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 8.0.0 <= 8.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 <= 8.8.1"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 8.9.0 < 8.11.0 Search vendor "Nodejs" for product "Node.js" and version " >= 8.9.0 < 8.11.0"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 9.0.0 < 9.10.0 Search vendor "Nodejs" for product "Node.js" and version " >= 9.0.0 < 9.10.0"		-		Affected