The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting

28 Feb 2026

Node.jsVulnerabilityHTTPSecurityTOCTOUCRLFHeaderInjectionRequestSplitting

The post describes a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in Node.js’s ClientRequest.path that bypasses CRLF validation. This flaw allows header injection and HTTP request splitting. The issue affects over seven major HTTP libraries, collectively accounting for more than 160 million weekly downloads.

Read the original article on reddit.com