This is a security release.
Notable changes
- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
- The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
- CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
- The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
Commits
- [
21a2e554e3
] - deps: update llhttp to 2.1.4 (Fedor Indutny) nodejs-private/node-private#286 - [
d5d3a03246
] - http: add regression test for smuggling content length (Matteo Collina) nodejs-private/node-private#286 - [
0858587f21
] - http: add regression test for chunked smuggling (Matteo Collina) nodejs-private/node-private#286