CVE-2016-5325 : CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.

Published 2016-10-10 16:59:00

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2016-5325

Suse » Linux Enterprise » Version: 12.0
cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.0.0
cpe:2.3:a:nodejs:node.js:4.0.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.1.0
cpe:2.3:a:nodejs:node.js:4.1.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.1.1
cpe:2.3:a:nodejs:node.js:4.1.1:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.7
cpe:2.3:a:nodejs:node.js:0.12.7:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.6
cpe:2.3:a:nodejs:node.js:0.12.6:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.4
cpe:2.3:a:nodejs:node.js:0.12.4:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.3
cpe:2.3:a:nodejs:node.js:0.12.3:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.2.0
cpe:2.3:a:nodejs:node.js:4.2.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.8
cpe:2.3:a:nodejs:node.js:0.12.8:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.1
cpe:2.3:a:nodejs:node.js:0.12.1:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.5
cpe:2.3:a:nodejs:node.js:0.12.5:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.2.2
cpe:2.3:a:nodejs:node.js:4.2.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.2.1
cpe:2.3:a:nodejs:node.js:4.2.1:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.2
cpe:2.3:a:nodejs:node.js:0.12.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.0
cpe:2.3:a:nodejs:node.js:0.12.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.9
cpe:2.3:a:nodejs:node.js:0.10.9:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.8
cpe:2.3:a:nodejs:node.js:0.10.8:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.38
cpe:2.3:a:nodejs:node.js:0.10.38:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.37
cpe:2.3:a:nodejs:node.js:0.10.37:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.30
cpe:2.3:a:nodejs:node.js:0.10.30:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.3
cpe:2.3:a:nodejs:node.js:0.10.3:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.23
cpe:2.3:a:nodejs:node.js:0.10.23:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.22
cpe:2.3:a:nodejs:node.js:0.10.22:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.16
cpe:2.3:a:nodejs:node.js:0.10.16:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.15
cpe:2.3:a:nodejs:node.js:0.10.15:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.0
cpe:2.3:a:nodejs:node.js:0.10.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.2.4
cpe:2.3:a:nodejs:node.js:4.2.4:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.1.2
cpe:2.3:a:nodejs:node.js:4.1.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.7
cpe:2.3:a:nodejs:node.js:0.10.7:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.6
cpe:2.3:a:nodejs:node.js:0.10.6:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.36
cpe:2.3:a:nodejs:node.js:0.10.36:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.35
cpe:2.3:a:nodejs:node.js:0.10.35:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.29
cpe:2.3:a:nodejs:node.js:0.10.29:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.28
cpe:2.3:a:nodejs:node.js:0.10.28:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.21
cpe:2.3:a:nodejs:node.js:0.10.21:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.20
cpe:2.3:a:nodejs:node.js:0.10.20:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.14
cpe:2.3:a:nodejs:node.js:0.10.14:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.13
cpe:2.3:a:nodejs:node.js:0.10.13:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.2.3
cpe:2.3:a:nodejs:node.js:4.2.3:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.9
cpe:2.3:a:nodejs:node.js:0.12.9:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.4
cpe:2.3:a:nodejs:node.js:0.10.4:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.39
cpe:2.3:a:nodejs:node.js:0.10.39:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.32
cpe:2.3:a:nodejs:node.js:0.10.32:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.31
cpe:2.3:a:nodejs:node.js:0.10.31:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.25
cpe:2.3:a:nodejs:node.js:0.10.25:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.24
cpe:2.3:a:nodejs:node.js:0.10.24:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.17
cpe:2.3:a:nodejs:node.js:0.10.17:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.16-isaacs-manual
cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.10
cpe:2.3:a:nodejs:node.js:0.10.10:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.1
cpe:2.3:a:nodejs:node.js:0.10.1:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.2.6
cpe:2.3:a:nodejs:node.js:4.2.6:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.2.5
cpe:2.3:a:nodejs:node.js:4.2.5:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.5
cpe:2.3:a:nodejs:node.js:0.10.5:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.41
cpe:2.3:a:nodejs:node.js:0.10.41:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.40
cpe:2.3:a:nodejs:node.js:0.10.40:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.34
cpe:2.3:a:nodejs:node.js:0.10.34:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.33
cpe:2.3:a:nodejs:node.js:0.10.33:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.27
cpe:2.3:a:nodejs:node.js:0.10.27:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.26
cpe:2.3:a:nodejs:node.js:0.10.26:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.2
cpe:2.3:a:nodejs:node.js:0.10.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.19
cpe:2.3:a:nodejs:node.js:0.10.19:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.18
cpe:2.3:a:nodejs:node.js:0.10.18:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.12
cpe:2.3:a:nodejs:node.js:0.10.12:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.11
cpe:2.3:a:nodejs:node.js:0.10.11:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.4.0
cpe:2.3:a:nodejs:node.js:4.4.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.3.2
cpe:2.3:a:nodejs:node.js:4.3.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.3.0
cpe:2.3:a:nodejs:node.js:4.3.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.4.1
cpe:2.3:a:nodejs:node.js:4.4.1:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.3.1
cpe:2.3:a:nodejs:node.js:4.3.1:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.4.4
cpe:2.3:a:nodejs:node.js:4.4.4:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.4.5
cpe:2.3:a:nodejs:node.js:4.4.5:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.5.0
cpe:2.3:a:nodejs:node.js:4.5.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.4.2
cpe:2.3:a:nodejs:node.js:4.4.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.4.3
cpe:2.3:a:nodejs:node.js:4.4.3:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.4.6
cpe:2.3:a:nodejs:node.js:4.4.6:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 4.4.7
cpe:2.3:a:nodejs:node.js:4.4.7:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.42
cpe:2.3:a:nodejs:node.js:0.10.42:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.43
cpe:2.3:a:nodejs:node.js:0.10.43:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.46
cpe:2.3:a:nodejs:node.js:0.10.46:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.44
cpe:2.3:a:nodejs:node.js:0.10.44:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.10.45
cpe:2.3:a:nodejs:node.js:0.10.45:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.10
cpe:2.3:a:nodejs:node.js:0.12.10:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.13
cpe:2.3:a:nodejs:node.js:0.12.13:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.14
cpe:2.3:a:nodejs:node.js:0.12.14:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.15
cpe:2.3:a:nodejs:node.js:0.12.15:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.11
cpe:2.3:a:nodejs:node.js:0.12.11:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 0.12.12
cpe:2.3:a:nodejs:node.js:0.12.12:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.1.0
cpe:2.3:a:nodejs:node.js:6.1.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.5.0
cpe:2.3:a:nodejs:node.js:6.5.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.6.0
cpe:2.3:a:nodejs:node.js:6.6.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.2.2
cpe:2.3:a:nodejs:node.js:6.2.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.3.0
cpe:2.3:a:nodejs:node.js:6.3.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.3.1
cpe:2.3:a:nodejs:node.js:6.3.1:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.4.0
cpe:2.3:a:nodejs:node.js:6.4.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.2.0
cpe:2.3:a:nodejs:node.js:6.2.0:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.2.1
cpe:2.3:a:nodejs:node.js:6.2.1:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » Version: 6.0.0
cpe:2.3:a:nodejs:node.js:6.0.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-5325

EPSS FAQ

0.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 34 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-5325

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2016-5325

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-5325

http://www.securityfocus.com/bid/93483

Node.js CVE-2016-5325 CRLF Injection Vulnerability
https://security.gentoo.org/glsa/201612-43

Node.js: Multiple vulnerabilities (GLSA 201612-43) — Gentoo security

CVEs referencing this url
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/

Security updates for all active release lines, September 2016 | Node.js
Patch;Vendor Advisory

CVEs referencing this url
https://github.com/nodejs/node/commit/c0f13e56a20f9bde5a67d873a7f9564487160762

http: check reason chars in writeHead · nodejs/node@c0f13e5 · GitHub
Issue Tracking;Patch
http://rhn.redhat.com/errata/RHSA-2017-0002.html

RHSA-2017:0002 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2016:2101

RHSA-2016:2101 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html

[security-announce] SUSE-SU-2016:2470-1: important: Security update for
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-5325

Products affected by CVE-2016-5325

Exploit prediction scoring system (EPSS) score for CVE-2016-5325

CVSS scores for CVE-2016-5325

CWE ids for CVE-2016-5325

References for CVE-2016-5325