IMPORTANT! Update Node.JS to 18.20.1, 20.12.1, 21.7.2 or newer!
Older versions of Node.JS had a CVE-2024-27982 vulnerability, which involves placing a space before Content-Length header, enabling attackers to smuggle in a second request.
The original vulnerability description:
The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
Future SVR.JS versions will warn you about this vulnerability in server logs, if you’re running affected versions of Node.JS.