This is a security release.
Notable changes
- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
- The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
- CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
- The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
Commits
- [
af488f8dc8] - deps: update llhttp to 6.0.4 (Matteo Collina) nodejs-private/node-private#284 - [
2d1eefad98] - http: add regression test for smuggling content length (Matteo Collina) nodejs-private/node-private#284 - [
45d419ab1c] - http: add regression test for chunked smuggling (Matteo Collina) nodejs-private/node-private#284