What is CVE-2019-15605?

CVE-2019-15605 is a vulnerability in Nodejs Node, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). Published 2020-02-07.

Is CVE-2019-15605 known to be exploited?

9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Nodejs Node

CVE-2019-15605

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Vulnerability class: HTTP Request Smuggling

EPSS: 0.571 (98.9th percentile) — read the EPSS interpretation.

Affected products

Nodejs Node — versions 4.0, 5.0, 6.0

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

Public proof-of-concept exploits

References

FEDORA-2020-3838c8ea98 (vendor-advisory, x_refsource_FEDORA)
FEDORA-2020-47efc31973 (vendor-advisory, x_refsource_FEDORA)
RHSA-2020:0573 (vendor-advisory, x_refsource_REDHAT)
RHSA-2020:0579 (vendor-advisory, x_refsource_REDHAT)
RHSA-2020:0597 (vendor-advisory, x_refsource_REDHAT)
RHSA-2020:0598 (vendor-advisory, x_refsource_REDHAT)
RHSA-2020:0602 (vendor-advisory, x_refsource_REDHAT)
openSUSE-SU-2020:0293 (vendor-advisory, x_refsource_SUSE)
RHSA-2020:0703 (vendor-advisory, x_refsource_REDHAT)
RHSA-2020:0707 (vendor-advisory, x_refsource_REDHAT)

Frequently asked questions

What is CVE-2019-15605?: CVE-2019-15605 is a vulnerability in Nodejs Node, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). Published 2020-02-07.
Is CVE-2019-15605 known to be exploited?: 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.