The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-root-cause-analysis/
info.safebreach.com/hubfs/Node-js-Response-Splitting.pdf
packetstormsecurity.com/files/135711/Node.js-HTTP-Response-Splitting.html
www.securityfocus.com/bid/83141
lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html
lists.fedoraproject.org/pipermail/package-announce/2016-February/177673.html
nodejs.org/en/blog/vulnerability/february-2016-security-releases/
security.gentoo.org/glsa/201612-43