The http request method does not have any validation applied to it before constructing the first line of an HTTP request (https://github.com/joyent/node/blob/master/lib/_http_client.js#L129). A carefully constructed method, such as
GET / HTTP/1.1\r\nX-Foobar: Bazbang\r\nX-Discard:
if passed to http.request(method, '/intendedpath') would result in an HTTP request like:

GET / HTTP/1.1
X-FOOBAR: BAZBANG
X-DISCARD: /intendedpath HTTP/1.1

The forced uppercasing that occurs at https://github.com/joyent/node/blob/master/lib/_http_client.js#L89 can be bypassed by URL encoding the method.

Security impact occurs when a server constructs and submits HTTP requests from client provided data.

HTTP request methods are limited in the HTTP/1.0 and 1.1 RFCs to token, which is defined as:

token          = 1*<any CHAR except CTLs or tspecials>
CTL            = <any US-ASCII control character
                    (octets 0 - 31) and DEL (127)>
tspecials      = "(" | ")" | "<" | ">" | "@"
               | "," | ";" | ":" | "\" | <">
               | "/" | "[" | "]" | "?" | "="
               | "{" | "}" |  SP |  HT

Header injection within headers themselves is accounted for at:
https://github.com/joyent/node/blob/master/lib/_http_outgoing.js#L296-L297