❌

Reading view

The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting

/r/netsec - Information Security News & Discussion

27 February 2026 at 17:58

Deep dive into a TOCTOU vulnerability in Node.js's ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request Splitting across 7+ major HTTP libraries totaling 160M+ weekly downloads

submitted by /u/r3verii
[link] [comments]