The host is installed with Node.js 8.x before 8.14.0, or 6.x before 6.15.0 and is prone to an HTTP request splitting vulnerability. A flaw is present in the application which fails to handle an unsanitized user-provided Unicode data for the `path` option of an HTTP request. Successful exploitation allows an attacker to provide a data which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.