All Vulnerability Reports

CVE-2019-15605: Node.js is vulnerable to request smuggling






Node.js Offline Buildpack, all versions prior to 1.7.13; App Metrics, all versions prior to 2.0.0; and VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.17, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, default to a version of Node.js that is vulnerable to HTTP request smuggling, which allows malicious payload delivery to unsuspecting users.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

  • Node.js Offline Buildpack
    • All versions prior to 1.7.13
  • App Metrics (formerly Pivotal Cloud Foundry Metrics)
    • All versions prior to 2.0.0
  • VMware Tanzu Application Service for VMs (formerly Pivotal Application Service)
    • 2.6.x versions prior to 2.6.17
    • 2.7.x versions prior to 2.7.11
    • 2.8.x versions prior to 2.8.5


Users of affected versions should apply the following mitigation or upgrade:

  • Node.js Offline Buildpack
    • 1.7.13
  • App Metrics
    • 2.0.0
  • VMware Tanzu Application Service for VMs
    • 2.6.17
    • 2.7.11
    • 2.8.5
    • 2.9.0



2020-05-26: Initial vulnerability report published.