Improper Input Validation The advisory has been revoked - it doesn't affect any version of package nodejs  (opens in a new tab)


Threat Intelligence

EPSS
7.01% (94th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UBUNTU1604-NODEJS-312663
  • published7 Apr 2016
  • disclosed7 Apr 2016

Introduced: 7 Apr 2016

CVE-2016-2216  (opens in a new tab)
CWE-20  (opens in a new tab)

Amendment

The Ubuntu security team deemed this advisory irrelevant for Ubuntu:16.04.

NVD Description

Note: Versions mentioned in the description apply only to the upstream nodejs package and not the nodejs package as distributed by Ubuntu.

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.