1. Home
  2. Vulnerabilities
  3. CVE-2020-8201

CVE-2020-8201

CVSS v3.1 7.4 (High)
74% Progress
CVSS v2.0 5.8 (Medium)
58% Progress
EPSS 0.33 % (71th)
0.33% Progress
Affected Products 3
Advisories 12
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Weaknesses
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE Status
PUBLISHED
CNA
HackerOne
Published Date
2020-09-18 21:15:12
(4 years ago)
Updated Date
2023-11-07 03:26:18
(10 months ago)

Affected Products

Fedoraproject

Nodejs

Opensuse

Configuration #1

    CPE23 From Up To
  Nodejs Node.js from 12.0.0 version and prior 12.18.4 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 12.0.0 < 12.18.4
  Nodejs Node.js from 14.0.0 version and prior 14.11.0 version cpe:2.3:a:nodejs:node.js >= 14.0.0 < 14.11.0

Configuration #2

    CPE23 From Up To
  Opensuse Leap 15.2 cpe:2.3:o:opensuse:leap:15.2

Configuration #3

    CPE23 From Up To
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33