Strix
26.1K

CVE-2016-2216

UnknownEPSS 7.01%

Last modified

CVE-2016-2216 is a vulnerability of currently unknown severity. The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.. EPSS estimates a 7.01% chance of exploitation in the next 30 days.

Description

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.

Metrics

EPSS Probability
7.01%

93.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
NodejsNode.Js0.10.0
NodejsNode.Js0.10.1
NodejsNode.Js0.10.2
NodejsNode.Js0.10.3
NodejsNode.Js0.10.4
NodejsNode.Js0.10.5
NodejsNode.Js0.10.6
NodejsNode.Js0.10.7
NodejsNode.Js0.10.8
NodejsNode.Js0.10.9
NodejsNode.Js0.10.10
NodejsNode.Js0.10.11
NodejsNode.Js0.10.12
NodejsNode.Js0.10.13
NodejsNode.Js0.10.14
NodejsNode.Js0.10.15
NodejsNode.Js0.10.16
NodejsNode.Js0.10.16-isaacs-manual
NodejsNode.Js0.10.17
NodejsNode.Js0.10.18
NodejsNode.Js0.10.19
NodejsNode.Js0.10.20
NodejsNode.Js0.10.21
NodejsNode.Js0.10.22
NodejsNode.Js0.10.23
NodejsNode.Js0.10.24
NodejsNode.Js0.10.25
NodejsNode.Js0.10.26
NodejsNode.Js0.10.27
NodejsNode.Js0.10.28
NodejsNode.Js0.10.29
NodejsNode.Js0.10.30
NodejsNode.Js0.10.31
NodejsNode.Js0.10.32
NodejsNode.Js0.10.33
NodejsNode.Js0.10.34
NodejsNode.Js0.10.35
NodejsNode.Js0.10.36
NodejsNode.Js0.10.37
NodejsNode.Js0.10.38
NodejsNode.Js0.10.39
NodejsNode.Js0.10.40
NodejsNode.Js0.10.41
NodejsNode.Js0.11.6
NodejsNode.Js0.11.7
NodejsNode.Js0.11.8
NodejsNode.Js0.11.9
NodejsNode.Js0.11.10
NodejsNode.Js0.11.11
NodejsNode.Js0.11.12

Showing 50 of 85 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2016-2216?
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
How severe is CVE-2016-2216?
Severity scoring for CVE-2016-2216 is pending analysis. The EPSS model estimates a 7.01% probability of exploitation in the next 30 days.
How do I fix CVE-2016-2216?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-2216?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST