CVE-2022-32214

CWE-444 — HTTP Request Smuggling11 documents9 sources

Severity

6.5MEDIUM

EPSS

45.8%

top 2.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Llhttp Llhttp Nodejs Node.js +2 more

Timeline

PublishedJul 14

Latest updateNov 21

Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages6 packages

▶npmllhttp< 6.0.7

▶NVDllhttp/llhttp6.0.0 — 6.0.7+1

▶CVEListV5nodejs/node4.0 — 4.*+14

▶NVDnodejs/node.js14.15.0 — 14.20.0+4

▶Debiannodejs< 12.22.12~dfsg-1~deb11u3+3

Also affects: Debian Linux 11.0

Patches

Patch: nodejs.org ↗Patch: nodejs.org ↗

🔴Vulnerability Details

OSV

nodejs vulnerabilities↗2023-11-21

▶

OSV

llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields↗2022-07-15

▶

GHSA

llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields↗2022-07-15

▶

OSV

CVE-2022-32214: The llhttp parser <v14↗2022-07-14

▶

CVEList

CVE-2022-32214: The llhttp parser <v14↗2022-07-14

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2023-11-21

▶

Microsoft

The llhttp parser <v14.20.1 <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).↗2022-07-12

▶

Red Hat

nodejs: HTTP request smuggling due to improper delimiting of header fields↗2022-07-08

▶

Debian

CVE-2022-32214: llhttp - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.j...↗2022

▶

💬Community

HackerOne

CVE-2022-32214 - HTTP Request Smuggling Due To Improper Delimiting of Header Fields↗2022-07-22

▶