ALPINE-CVE-2020-8201
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 18 Sept 2020, 21:15
Last modified:03 Dec 2025, 22:47
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.4 HIGH
3.1 (osv_alpine)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
18 Sept 2020, 21:15
Published
Vulnerability first disclosed
03 Dec 2025, 22:47
Last Modified
Vulnerability information updated
Description
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
CVSS Metrics
- v3.1•HIGH•Score: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Systems
- alpine•nodejs
< 12.20.1-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0 | < 12.18.4-r0