You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The HTTP standards specify that header names and values are separated by a colon. Mongoose allows them to be separated by whitespace. This is a potential vector for HTTP request smuggling.
For example, Mongoose will misinterpret the following request:
GET / HTTP/1.1\r\nContent-Length 10\r\n\r\n0123456789
Because Mongoose does not enforce that header names and values be separated by a colon, Mongoose misinterprets this request as having a Content-Length header, so it sees 0123456789 as the request's body. A standards-compliant HTTP server would reject the message because it contains an invalid header.
The text was updated successfully, but these errors were encountered:
kenballus
changed the title
Mongoose separates HTTP header values incorrectly
Mongoose separates HTTP header names from values incorrectly
Jul 7, 2023
The HTTP standards specify that header names and values are separated by a colon. Mongoose allows them to be separated by whitespace. This is a potential vector for HTTP request smuggling.
For example, Mongoose will misinterpret the following request:
Because Mongoose does not enforce that header names and values be separated by a colon, Mongoose misinterprets this request as having a Content-Length header, so it sees
0123456789
as the request's body. A standards-compliant HTTP server would reject the message because it contains an invalid header.The text was updated successfully, but these errors were encountered: