Skip to content

Remove false positive from nodejs pipelining check#21332

Merged
cgranleese-r7 merged 1 commit intorapid7:masterfrom
adfoster-r7:remove-false-positive-from-nodejs-pipelining-check
Apr 20, 2026
Merged

Remove false positive from nodejs pipelining check#21332
cgranleese-r7 merged 1 commit intorapid7:masterfrom
adfoster-r7:remove-false-positive-from-nodejs-pipelining-check

Conversation

@adfoster-r7
Copy link
Copy Markdown
Contributor

@adfoster-r7 adfoster-r7 commented Apr 20, 2026

Remove false positive from nodejs pipelining check

When running this module against most HTTP servers, it will claims that it's vulnerable (extra debugging added):

msf auxiliary(dos/http/nodejs_pipelining) > recheck tcp://127.0.0.1:8000 ssl=false httptrace=true
[*] Reloading module...
GEM / HTTP/1.1
Host: 127.0.0.1:8000

HTTP/1.1 405 Method Not Allowed
Content-Type: text/html; charset=ISO-8859-1
Server: WEBrick/1.9.1 (Ruby/3.3.0/2023-12-25)
Date: Wed, 15 Apr 2026 16:48:29 GMT
Content-Length: 299
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML>
  <HEAD><TITLE>Method Not Allowed</TITLE></HEAD>
  <BODY>
    <H1>Method Not Allowed</H1>
    unsupported method 'GEM'.
    <HR>
    <ADDRESS>
     WEBrick/1.9.1 (Ruby/3.3.0/2023-12-25) at
     127.0.0.1:8000
    </ADDRESS>
  </BODY>
</HTML>
[+] 127.0.0.1:8000 - The target appears to be vulnerable. Node.js accepted a malformed HTTP method, likely < 0.10.17
msf auxiliary(dos/http/nodejs_pipelining) >

After setting up a vuln environment, the check method doesn't work:

msf auxiliary(dos/http/nodejs_pipelining) > recheck tcp://127.0.0.1:9050  ssl=false httptrace=true
[*] Reloading module...
GEM / HTTP/1.1
Host: 127.0.0.1:9050

[*] 127.0.0.1:9050 - Cannot reliably check exploitability. No response to malformed HTTP request
msf auxiliary(dos/http/nodejs_pipelining) >

The original check method was added here: #2548 (comment)

As the module's from 2013 and there doesn't seem to be a viable check method to implement currently, I'm opting to remove it for now.

Verification

  • Review the PR

@adfoster-r7 adfoster-r7 marked this pull request as ready for review April 20, 2026 12:59
@adfoster-r7 adfoster-r7 force-pushed the remove-false-positive-from-nodejs-pipelining-check branch from 048e3e3 to f060acd Compare April 20, 2026 13:03
@cgranleese-r7 cgranleese-r7 self-assigned this Apr 20, 2026
@cgranleese-r7 cgranleese-r7 merged commit a53d0a0 into rapid7:master Apr 20, 2026
18 checks passed
@cgranleese-r7 cgranleese-r7 added the rn-no-release-notes no release notes label Apr 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dwelch-r7 dwelch-r7 dwelch-r7 approved these changes

@cgranleese-r7 cgranleese-r7 cgranleese-r7 approved these changes

Assignees

@cgranleese-r7 cgranleese-r7

Labels

rn-no-release-notes no release notes

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@adfoster-r7 @dwelch-r7 @cgranleese-r7 @smcintyre-r7