{"api_version":"1","generated_at":"2026-04-23T01:18:26+00:00","cve":"CVE-2020-8201","urls":{"html":"https://cve.report/CVE-2020-8201","api":"https://cve.report/api/cve/CVE-2020-8201.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-8201","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-8201"},"summary":{"title":"CVE-2020-8201","description":"Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2020-09-18 21:15:00","updated_at":"2023-11-07 03:26:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20201009-0004/","name":"https://security.netapp.com/advisory/ntap-20201009-0004/","refsource":"CONFIRM","tags":[],"title":"October 2020 Node.js Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/","name":"https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/","refsource":"MISC","tags":["Vendor Advisory"],"title":"September 2020 Security Releases | Node.js","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/","name":"FEDORA-2020-43d5a372fc","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: nodejs-14.15.1-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202101-07","name":"GLSA-202101-07","refsource":"GENTOO","tags":[],"title":"NodeJS: Multiple vulnerabilities (GLSA 202101-07) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/","name":"FEDORA-2020-43d5a372fc","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: nodejs-14.15.1-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://hackerone.com/reports/922597","name":"https://hackerone.com/reports/922597","refsource":"MISC","tags":["Permissions Required"],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html","name":"openSUSE-SU-2020:1616","refsource":"SUSE","tags":["Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2020:1616-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-8201","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8201","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"8201","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"8201","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"8201","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"8201","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"8201","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"8201","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"8201","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-8201","qid":"376248","title":"IBM Spectrum Control Multiple Vulnerabilities (6359903,6359899,6359901)"},{"cve":"CVE-2020-8201","qid":"500437","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2020-8201","qid":"501636","title":"Alpine Linux Security Update for nodejs-current"},{"cve":"CVE-2020-8201","qid":"504200","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2020-8201","qid":"690520","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for node.js (4ca5894c-f7f1-11ea-8ff8-0022489ad614)"},{"cve":"CVE-2020-8201","qid":"940128","title":"AlmaLinux Security Update for nodejs:12 (ALSA-2020:4272)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-8201","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/nodejs/node","version":{"version_data":[{"version_value":"Fixed in 12.18.4 and 14.11"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"HTTP Request Smuggling (CWE-444)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/","url":"https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/"},{"refsource":"MISC","name":"https://hackerone.com/reports/922597","url":"https://hackerone.com/reports/922597"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1616","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20201009-0004/","url":"https://security.netapp.com/advisory/ntap-20201009-0004/"},{"refsource":"FEDORA","name":"FEDORA-2020-43d5a372fc","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"},{"refsource":"GENTOO","name":"GLSA-202101-07","url":"https://security.gentoo.org/glsa/202101-07"}]},"description":{"description_data":[{"lang":"eng","value":"Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names."}]}},"nvd":{"publishedDate":"2020-09-18 21:15:00","lastModifiedDate":"2023-11-07 03:26:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*","versionStartIncluding":"14.0.0","versionEndExcluding":"14.11.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"12.0.0","versionEndExcluding":"12.18.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"8201","Ordinal":"168538","Title":"CVE-2020-8201","CVE":"CVE-2020-8201","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"8201","Ordinal":"1","NoteData":"Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"8201","Ordinal":"2","NoteData":"2020-09-18","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"8201","Ordinal":"3","NoteData":"2021-01-11","Type":"Other","Title":"Modified"}]}}}