The vulnerability chain in Apache Thrift’s Node.js web_server.js arises from insufficient origin validation, missing pathname restrictions, and improper neutralization of CRLF sequences in HTTP headers. This allows a path traversal flaw (CWE‑22) to read or write files outside the intended directory, HTTP request/response splitting (CWE‑113 and CWE‑346) to inject CRLF into headers and perform request smuggling, and uncontrolled resource consumption (CWE‑400) to exhaust server resources. The combined effect can compromise confidentiality, integrity, and availability, but the description does not indicate a direct remote code execution channel.

The flaw affects all deployments of Apache Thrift that use the Node.js web_server.js component and are running any version earlier than 0.23.0. The vulnerability is present in the default web service configuration and is not limited to particular settings. Upgrading to 0.23.0 or later removes the problem.

The EPSS score for this issue is less than 1%, the CVSS score is 7.3, and it is not listed in the CISA KEV catalog, which suggests no evidence of active exploitation. The likely attack vector is remote network-based exploitation: an attacker can send crafted HTTP requests to the exposed web_server.js endpoint to trigger the path traversal, header injection, or resource exhaustion weaknesses. The lack of a publicly known exploit does not reduce the potential impact, and administrators should treat it as a medium to high risk until the patch is applied.