CVE-2024-27982: The team has identified a critical vulnerability in the http server of the most recent version of...

The vulnerability (CVE-2024-27982) describes an HTTP request smuggling issue in Node.js due to malformed headers, specifically when a space precedes the Content-Length header. The fix was identified in commit bd0aa5d44c894a170863de369dde6fc45faac0c2 in the nodejs/node repository, which updates deps/llhttp/src/llhttp.c.

The core of the HTTP parsing in llhttp is handled by the static function llhttp__internal__run, which is a large state machine. The patch modifies this state machine to be stricter about whitespace in headers by default. Previously, certain whitespace (like spaces before a header name or after a header value, related to OBS-folding) was tolerated, leading to potential misinterpretation of headers like Content-Length. The patch introduces checks for lenient parsing flags; if not set (which is the new default), such whitespace now causes a parsing error (e.g., "Unexpected whitespace after header value").

llhttp__internal__run is where the vulnerable parsing logic resided and where the fix was applied. llhttp_execute is the public API function that calls llhttp__internal__run and would therefore be part of the execution path when the vulnerability is triggered. Both functions are critical runtime indicators.