cvedb.io
CVE-2018-12116
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2018-11-28T17:29:00.230 · Last modified 2026-06-17T01:37:11.003

Summary

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

Affected products

nodejs — node.js

Does this affect you?

Add your gear to cvedb and we'll alert you only when nodejs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.