Skip to content

Fix: Potential Vulnerability in Cloned Function#1325

Merged
visualfc merged 1 commit intovisualfc:masterfrom
tabudz:fix-CVE-2020-8287
May 19, 2025
Merged

Fix: Potential Vulnerability in Cloned Function#1325
visualfc merged 1 commit intovisualfc:masterfrom
tabudz:fix-CVE-2020-8287

Conversation

@tabudz
Copy link
Contributor

@tabudz tabudz commented Feb 25, 2025

Description
This PR fixes a security vulnerability in http_parser_execute() that was cloned from node but did not receive the security patch. The original issue was reported and fixed under nodejs/node@fc70ce0.
This PR applies the same patch to eliminate the vulnerability.

References
https://nvd.nist.gov/vuln/detail/CVE-2020-8287
nodejs/node@fc70ce0

@tabudz
http: unset F_CHUNKED on new Transfer-Encoding
bd3949e 
Duplicate `Transfer-Encoding` header should be a treated as a single,
but with original header values concatenated with a comma separator. In
the light of this, even if the past `Transfer-Encoding` ended with
`chunked`, we should be not let the `F_CHUNKED` to leak into the next
header, because mere presence of another header indicates that `chunked`
is not the last transfer-encoding token.

CVE-ID: CVE-2020-8287
PR-URL: nodejs-private/node-private#235
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
@visualfc visualfc merged commit f7cd58f into visualfc:master May 19, 2025
@tabudz
Copy link
Contributor Author

tabudz commented Nov 19, 2025

Hi @visualfc, thank you for merging my PR. I plan to report this as a CVE and want to check if you have any concerns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tabudz @visualfc