CVE-2024-27982: 
npm vulnerability analysis and mitigation

CVE-2024-27982 is a medium severity vulnerability identified in the HTTP server of Node.js, where malformed headers can lead to HTTP request smuggling. The vulnerability was discovered and disclosed in April 2024, affecting all active Node.js release lines: 18.x, 20.x, and 21.x. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first (Node.js Blog).

The vulnerability stems from an implementation flaw in Node.js's HTTP server where content-length headers with leading spaces are not properly interpreted. This improper header parsing can lead to HTTP request smuggling vulnerabilities. The issue has been assigned a CVSS v3.0 base score of 6.5 (Medium) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (NVD).

The vulnerability allows attackers to perform HTTP request smuggling attacks, which could potentially lead to request queue poisoning, bypass security controls, or perform other malicious actions. The CVSS scoring indicates that while no confidentiality impact is present, there are low impacts to both integrity and availability of the affected systems (HackerOne).

The vulnerability has been addressed in security updates released for all affected Node.js versions. Users are advised to upgrade to the patched versions. The fix was implemented by Paolo Insogna and released as part of the April 2024 security updates (Node.js Blog).