CVE-2019-15605: XSS
First published: Fri Feb 07 2020(Updated: )
Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. Downloads & release details * Node.js v10.19.0 (LTS) - <a href="https://nodejs.org/en/blog/release/v10.19.0/">https://nodejs.org/en/blog/release/v10.19.0/</a> * Node.js v12.15.0 (LTS) - <a href="https://nodejs.org/en/blog/release/v12.15.0/">https://nodejs.org/en/blog/release/v12.15.0/</a> * Node.js v13.8.0 (LTS) - <a href="https://nodejs.org/en/blog/release/v13.8.0/">https://nodejs.org/en/blog/release/v13.8.0/</a>
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <10.19.0 | 10.19.0 |
| redhat/nodejs | <12.15.0 | 12.15.0 |
| redhat/nodejs | <13.8.0 | 13.8.0 |
| redhat/http-parser | <2.9.3 | 2.9.3 |
| debian/http-parser | 2.9.4-4+deb11u1 2.9.4-5 2.9.4-6 | |
| debian/nodejs | 12.22.12~dfsg-1~deb11u4 12.22.12~dfsg-1~deb11u5 18.19.0+dfsg-6~deb12u2 18.19.0+dfsg-6~deb12u1 20.17.0+dfsg-2 | |
| Node.js | >=10.0.0<10.19.0 | |
| Node.js | >=12.0.0<12.15.0 | |
| Node.js | >=13.0.0<13.8.0 | |
| Debian Linux | =10.0 | |
| Red Hat Fedora | =30 | |
| SUSE Linux | =15.1 | |
| Red Hat Software Collections | =1.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server EUS | =7.7 | |
| Red Hat Enterprise Linux Server EUS | =8.1 | |
| Red Hat Enterprise Linux Server EUS | =8.2 | |
| Red Hat Enterprise Linux Server EUS | =8.4 | |
| Red Hat Enterprise Linux Server EUS | =8.6 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =7.7 | |
| Red Hat Enterprise Linux Server | =8.2 | |
| Red Hat Enterprise Linux Server | =8.4 | |
| Red Hat Enterprise Linux Server | =8.6 | |
| Red Hat Enterprise Linux Server | =7.7 | |
| Red Hat Enterprise Linux Server | =8.2 | |
| Red Hat Enterprise Linux Server | =8.4 | |
| Red Hat Enterprise Linux Server | =8.6 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| Oracle GraalVM Enterprise Edition | =19.3.1 | |
| Oracle GraalVM Enterprise Edition | =20.0.0 | |
| Node.js | >=13.0.0<13.8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- https://access.redhat.com/errata/RHSA-2020:0703
- https://access.redhat.com/errata/RHSA-2020:0707
- https://access.redhat.com/errata/RHSA-2020:0708
- https://hackerone.com/reports/735748
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://launchpad.net/bugs/cve/CVE-2019-15605
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1800376
- https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802501
- https://github.com/nodejs/llhttp/commit/e19af786a172a8ba71a3d13fccc0fd4dfe4b1b94
- https://access.redhat.com/security/cve/cve-2019-15605
- https://access.redhat.com/errata/RHSA-2020:1510
- https://bugzilla.redhat.com/show_bug.cgi?id=1800364
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/175913
- https://www.ibm.com/support/pages/node/6214472 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2019-15605
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605
- https://nvd.nist.gov/vuln/detail/CVE-2019-15605
- https://ubuntu.com/security/CVE-2019-15605
Frequently Asked Questions
What is the vulnerability ID for this Node.js HTTP request smuggling vulnerability?
The vulnerability ID for this Node.js HTTP request smuggling vulnerability is CVE-2019-15605.
What is the severity of CVE-2019-15605?
CVE-2019-15605 has a severity level of high.
Which versions of Node.js are affected by CVE-2019-15605?
Versions 10, 12, and 13 of Node.js are affected by CVE-2019-15605.
What is the potential impact of CVE-2019-15605?
CVE-2019-15605 can allow for malicious payload delivery when the transfer-encoding is malformed, potentially leading to unauthorized access or other security breaches.
How can I fix CVE-2019-15605 in Node.js?
To fix CVE-2019-15605 in Node.js, you should update to the recommended versions provided by the relevant software sources.
- agent/type
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-15605
- agent/software-canonical-lookup
- agent/author
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/trending
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/nodejs
- canonical/node.js
- version/node.js/10.0.0
- version/node.js/12.0.0
- version/node.js/13.0.0
- vendor/debian
- canonical/debian linux
- version/debian linux/10.0
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/30
- vendor/opensuse
- canonical/suse linux
- version/suse linux/15.1
- vendor/redhat
- canonical/red hat software collections
- version/red hat software collections/1.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/7.7
- version/red hat enterprise linux server eus/8.1
- version/red hat enterprise linux server eus/8.2
- version/red hat enterprise linux server eus/8.4
- version/red hat enterprise linux server eus/8.6
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/7.7
- version/red hat enterprise linux server/8.2
- version/red hat enterprise linux server/8.4
- version/red hat enterprise linux server/8.6
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/7.0
- vendor/oracle
- canonical/oracle graalvm enterprise edition
- version/oracle graalvm enterprise edition/19.3.1
- version/oracle graalvm enterprise edition/20.0.0