CVE-2022-32213HTTP Request Smuggling in Node

CWE-444HTTP Request Smuggling12 documents9 sources
Severity
6.5MEDIUMNVD
EPSS
88.5%
top 0.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Nodejs NodeNodejsLlhttp+5 more
Timeline
PublishedJul 14
Latest updateNov 21

Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages7 packages

NVDllhttp/llhttp6.0.06.0.7+1
npmllhttp/llhttp< 6.0.7
CVEListV5nodejs/node4.04.*+14
NVDnodejs/node.js14.15.014.20.1+4
Debiannodejs/nodejs< 12.22.12~dfsg-1~deb11u3+3

Also affects: Debian Linux 11.0, Fedora 35, 36, 37

Patches

Patch: cert-portal.siemens.comPatch: nodejs.orgPatch: cert-portal.siemens.com

🔴Vulnerability Details

5
OSV
nodejs vulnerabilities2023-11-21
GHSA
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding2022-07-15
OSV
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding2022-07-15
CVEList
CVE-2022-32213: The llhttp parser <v142022-07-14
OSV
CVE-2022-32213: The llhttp parser <v142022-07-14

📋Vendor Advisories

4
Ubuntu
Node.js vulnerabilities2023-11-21
Microsoft
The llhttp parser <v14.20.1 <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).2022-07-12
Red Hat
nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding2022-07-08
Debian
CVE-2022-32213: llhttp - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.j...2022

💬Community

2
HackerOne
CVE-2022-32213 bypass via obs-fold mechanic2022-10-26
HackerOne
CVE-2022-32213 - HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding2022-07-22
CVE-2022-32213 — HTTP Request Smuggling in Nodejs Node | cvebase