❌

Normal view

Received today β€” 4 March 2026 ⏭

The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting

βœ‡/r/netsec - Information Security News & Discussion
By: /u/r3verii
27 February 2026 at 17:58

Deep dive into a TOCTOU vulnerability in Node.js's ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request Splitting across 7+ major HTTP libraries totaling 160M+ weekly downloads

submitted by /u/r3verii
[link] [comments]
❌