What the vulnerability does

01Description

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Key dates

02Disclosure timeline

January 6, 2021 CVE published
April 30, 2025 Record updated

Related vulnerabilities

04Related CVE