「HackerOne」

**Summary:** The `llhttp` parser in the `http` module in Node 16.3.0 ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) when a Node server is put behind an Apache Traffic Server (ATS) 9.0.0 proxy. **Description:** In the `chunked` transfer encoding format there can be a so called chunk extension after each chunk size. Example: ``` GET...

**Summary:** The `llhttp` parser in the `http` module in Node 16.3.0 ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) when a Node server is put behind an Apache Traffic Server (ATS) 9.0.0 proxy. **Description:** In the `chunked` transfer encoding format there can be a so called chunk extension after each chunk size. Example: ``` GET...

hackerone.com

Webページ

コンテンツ文字数:0 文字

見出し数(H2/H3タグ):0 個

閲覧数:126 件

2021-11-04 11:10:48

オリジナルページを開く

B!

タグ一覧
HackerOne
Summary
The
`llhttp`
parser
in
the
`http`
module
Node
16.3.0
ignores
chunk
extensions
when
parsing
body
of
chunked
requests
This
leads
to
HTTP
Request
Smuggling
HRS
server
is
put
behind
an
Apache
Traffic
Server
ATS
9.0.0
proxy
Description
In
`chunked`
transfer
encoding
format
there
can
be
so
called
extension
after
each
size
Example
```
GET