DEBIAN-CVE-2020-8287

DEBIAN-CVE-2020-8287 PUBLISHED CVSS 6.5 MEDIUM

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
Debian:12	nodejs	0, 0, 0
Debian:12	http-parser	0, 0, 0
Debian:13	http-parser	0, 0, 0
Debian:11	http-parser	2.9.4-4, 0, 0
Debian:13	nodejs	0, 0, 0
Debian:14	nodejs	0, 0, 0
Debian:14	http-parser	0, 0, 0
Debian:11	nodejs	0, 0, 0

Timeline

Jan 6, 2021 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2020-8287 advisory

Open in Interactive Console →