The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting

Deep dive into a TOCTOU vulnerability in Node.js's ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request Splitting across 7+ major HTTP libraries totaling 160M+ weekly downloads   submitted by   /u/r3verii [link]   [comments]

Source: https://www.reddit.com/r/netsec/comments/1rgdw7w/the_forgotten_bug_how_a_nodejs_core_design_flaw/