-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability (CVE-2024-27982) describes an HTTP request smuggling issue in Node.js due to malformed headers, specifically when a space precedes the Content-Length header. The fix was identified in commit bd0aa5d44c894a170863de369dde6fc45faac0c2 in the nodejs/node repository, which updates deps/llhttp/src/llhttp.c.
The core of the HTTP parsing in llhttp is handled by the static function llhttp__internal__run, which is a large state machine. The patch modifies this state machine to be stricter about whitespace in headers by default. Previously, certain whitespace (like spaces before a header name or after a header value, related to OBS-folding) was tolerated, leading to potential misinterpretation of headers like Content-Length. The patch introduces checks for lenient parsing flags; if not set (which is the new default), such whitespace now causes a parsing error (e.g., "Unexpected whitespace after header value").
llhttp__internal__run is where the vulnerable parsing logic resided and where the fix was applied. llhttp_execute is the public API function that calls llhttp__internal__run and would therefore be part of the execution path when the vulnerability is triggered. Both functions are critical runtime indicators.