CVE-2019-15605: XSS
First published: Fri Feb 07 2020(Updated: )
Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. Downloads & release details * Node.js v10.19.0 (LTS) - <a href="https://nodejs.org/en/blog/release/v10.19.0/">https://nodejs.org/en/blog/release/v10.19.0/</a> * Node.js v12.15.0 (LTS) - <a href="https://nodejs.org/en/blog/release/v12.15.0/">https://nodejs.org/en/blog/release/v12.15.0/</a> * Node.js v13.8.0 (LTS) - <a href="https://nodejs.org/en/blog/release/v13.8.0/">https://nodejs.org/en/blog/release/v13.8.0/</a>
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nodejs Node.js | >=10.0.0<10.19.0 | |
| Nodejs Node.js | >=12.0.0<12.15.0 | |
| Nodejs Node.js | >=13.0.0<13.8.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =30 | |
| openSUSE Leap | =15.1 | |
| Redhat Software Collections | =1.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Eus | =7.7 | |
| Redhat Enterprise Linux Eus | =8.1 | |
| Redhat Enterprise Linux Eus | =8.2 | |
| Redhat Enterprise Linux Eus | =8.4 | |
| Redhat Enterprise Linux Eus | =8.6 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.7 | |
| Redhat Enterprise Linux Server Aus | =8.2 | |
| Redhat Enterprise Linux Server Aus | =8.4 | |
| Redhat Enterprise Linux Server Aus | =8.6 | |
| Redhat Enterprise Linux Server Tus | =7.7 | |
| Redhat Enterprise Linux Server Tus | =8.2 | |
| Redhat Enterprise Linux Server Tus | =8.4 | |
| Redhat Enterprise Linux Server Tus | =8.6 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Oracle GraalVM | =19.3.1 | |
| Oracle GraalVM | =20.0.0 | |
| redhat/nodejs | <10.19.0 | 10.19.0 |
| redhat/nodejs | <12.15.0 | 12.15.0 |
| redhat/nodejs | <13.8.0 | 13.8.0 |
| redhat/http-parser | <2.9.3 | 2.9.3 |
| Nodejs Node.js | >=13.0.0<13.8.0 | |
| debian/http-parser | 2.9.4-4+deb11u1 2.9.4-5 2.9.4-6 | |
| debian/nodejs | 12.22.12~dfsg-1~deb11u4 12.22.12~dfsg-1~deb11u5 18.19.0+dfsg-6~deb12u2 18.19.0+dfsg-6~deb12u1 20.17.0+dfsg-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- https://access.redhat.com/errata/RHSA-2020:0703
- https://access.redhat.com/errata/RHSA-2020:0707
- https://access.redhat.com/errata/RHSA-2020:0708
- https://hackerone.com/reports/735748
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://launchpad.net/bugs/cve/CVE-2019-15605
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1800376
- https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802501
- https://github.com/nodejs/llhttp/commit/e19af786a172a8ba71a3d13fccc0fd4dfe4b1b94
- https://access.redhat.com/security/cve/cve-2019-15605
- https://access.redhat.com/errata/RHSA-2020:1510
- https://bugzilla.redhat.com/show_bug.cgi?id=1800364
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CT3WTR4P5VAJ3GJGKPYEDUPTNZ3IEDUR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLB676PDU4RJQLWQUA277YNGYYNEYGWO/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/175913
- https://www.ibm.com/support/pages/node/6214472 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2019-15605
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605
- https://nvd.nist.gov/vuln/detail/CVE-2019-15605
- https://ubuntu.com/security/CVE-2019-15605
Frequently Asked Questions
What is the vulnerability ID for this Node.js HTTP request smuggling vulnerability?
The vulnerability ID for this Node.js HTTP request smuggling vulnerability is CVE-2019-15605.
What is the severity of CVE-2019-15605?
CVE-2019-15605 has a severity level of high.
Which versions of Node.js are affected by CVE-2019-15605?
Versions 10, 12, and 13 of Node.js are affected by CVE-2019-15605.
What is the potential impact of CVE-2019-15605?
CVE-2019-15605 can allow for malicious payload delivery when the transfer-encoding is malformed, potentially leading to unauthorized access or other security breaches.
How can I fix CVE-2019-15605 in Node.js?
To fix CVE-2019-15605 in Node.js, you should update to the recommended versions provided by the relevant software sources.
- collector/nvd-index
- agent/type
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-15605
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/author
- collector/nvd-cve
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/trending
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/10.0.0
- version/nodejs node.js/12.0.0
- version/nodejs node.js/13.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/redhat
- canonical/redhat software collections
- version/redhat software collections/1.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/7.7
- version/redhat enterprise linux eus/8.1
- version/redhat enterprise linux eus/8.2
- version/redhat enterprise linux eus/8.4
- version/redhat enterprise linux eus/8.6
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.7
- version/redhat enterprise linux server aus/8.2
- version/redhat enterprise linux server aus/8.4
- version/redhat enterprise linux server aus/8.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.7
- version/redhat enterprise linux server tus/8.2
- version/redhat enterprise linux server tus/8.4
- version/redhat enterprise linux server tus/8.6
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/oracle
- canonical/oracle graalvm
- version/oracle graalvm/19.3.1
- version/oracle graalvm/20.0.0
- package-manager/redhat
- package-manager/debian