Hey Guix, The attached two patches together should address CVE-2020-8287 (in Node). I am kind of fuzzy on the details, but to me it seems that the vulnerability is actually in http-parser (and llhttp), not node. I informed upstream about my findings, but in the mean time we should probably apply these. The node package subsequently has a regression test to demonstrate that the applied fix works. Nonetheless, http-parser has quite some dependents, and I only verified everything to still work with node. - Jelle