There is a vulnerability in node's http_parser binding which allows information disclosure to a remote attacker: In node::StringPtr::Update, an attempt is made at an optimization on certain inputs (node_http_parser.cc, line 151). The intent is that if the current string pointer plus the current string size is equal to the incoming string pointer, the current string size is just increased to match, as the incoming string lies just beyond the current string pointer. However, the check to see whether or not this can be done is incorrect; "size" is used whereas "size_" should be used. Therefore, an attacker can call Update with a string of certain length and cause the current string to have other data appended to it. In the case of HTTP being parsed out of incoming socket data, this can be incoming data from other sockets. Normally node::StringPtr::Save, which is called after each execution of http_parser, would stop this from being exploitable as it converts strings to non-optimizable heap-based strings. However, this is not done to 0-length strings. An attacker can therefore exploit the mistake by making Update set a 0-length string, and then Update past its boundary, so long as it is done in one http_parser execution. This can be done with an HTTP header with empty value, followed by a continuation with a value of certain length. The attached files demonstrate the issue: $ ./node ~/stringptr-update-poc-server.js & [1] 11801 $ ~/stringptr-update-poc-client.py HTTP/1.1 200 OK Content-Type: text/plain Date: Wed, 18 Apr 2012 00:05:11 GMT Connection: close Transfer-Encoding: chunked 64 X header: This is private data, perhaps an HTTP request with a Cookie in it. 0 Note that the round-up-by-16 caused by slab allocation makes it easier to guess the required HTTP header value length. An attacker could give an HTTP request that uses any header field which is given in the HTTP response or used otherwise. Likewise, an HTTP response that ie. uses a Set-Cookie field could have the bad header value echoed back in a subsequent HTTP request (note that HTTP header values set via node aren't escaped).