Two critical HTTP request smuggling vulnerabilities in Node.js: Patch immediately

Two security vulnerabilities in Node.js that allowed smuggling HTTP requests into JavaScript have been fixed by the project’s maintainers. As some users will recall, Node.js is a server-side implementation that allows JavaScript to run outside of the widely used browser.

Initially reported by researchers Mattias Grenfeldt and Asta Olofsson as part of a university project, the report has been reissued as part of a presentation for IEE EDOC 2021.

The finding of these flaws required the deployment of deep analyses on six open source web servers and, although they did not initially find any flaws, they eventually encountered these HTTP request smuggling flaws. This attack variant interferes with the way websites process http request streams received from users.

Tracked as CVE-2021-22959, the first flaw allows http requests to be smuggled due to spaces in the headers, plus the HTTP parser accepts requests with a space after the header name and before the colon. According to Grenfeldt, the combination of this flaw with a proxy that ignores these headers could generate severe problems.

On the other hand, CVE-2021-22960 involves a novel attack technique, wherein the combination of faulty line termination in one of the investigated proxies and incorrect analysis of fragment extensions in Node allows for the smuggling of requests. Experts found that the vulnerable proxy was looking for a single new line character (LF) to terminate the line that contained the fragment size, but does not correctly check whether a carriage return exists before the LF.

The researchers also mentioned that the combination of these two security flaws would allow to build a fragmented body that the proxy interprets in one way and Node.js interprets differently. This same behavior was also identified in three other servers analyzed, so experts do not rule out that the problem turns out to be more serious than it appears. Therefore, it is essential that users of this implementation update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.