| 1 | | New minor version. |
| | 1 | New minor version (14.18.0) - now 14.18.1 with security fixes: |
| | 2 | {{{ |
| | 3 | (Update 12-Oct-2021) Security releases available |
| | 4 | |
| | 5 | Updates are now available for the v16.x, v14.x, and v12.x Node.js release lines for the following issues. |
| | 6 | HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959) |
| | 7 | |
| | 8 | The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication. |
| | 9 | |
| | 10 | THe fix for this is included in llhttp v2.1.4 and v6.0.6. |
| | 11 | |
| | 12 | Thanks to Mattias Grenfeldt (https://grenfeldt.dev/) and Asta Olofsson for reporting this vulnerability. |
| | 13 | |
| | 14 | Impacts: |
| | 15 | |
| | 16 | All versions of the 16.x, 14.x, and 12.x releases lines. |
| | 17 | |
| | 18 | HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960) |
| | 19 | |
| | 20 | The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication. |
| | 21 | |
| | 22 | The fix for this is included in llhttp v2.1.4 and v6.0.6. |
| | 23 | |
| | 24 | Thanks to Mattias Grenfeldt (https://grenfeldt.dev/) and Asta Olofsson for reporting this vulnerability. |
| | 25 | |
| | 26 | Impacts: |
| | 27 | |
| | 28 | All versions of the 16.x, 14.x, and 12.x releases lines. |
| | 29 | }}} |
