CVE-2022-32214
published 2022-07-14CVE-2022-32214: The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can…
medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | llhttp | < nodejs 18.6.0+dfsg-3 (bookworm) | nodejs 18.6.0+dfsg-3 (bookworm) |
| debian | nodejs | < nodejs 18.6.0+dfsg-3 (bookworm) | nodejs 18.6.0+dfsg-3 (bookworm) |
| llhttp | llhttp | < 2.1.5 | 2.1.5 |
| llhttp | llhttp | >= 0 < 6.0.7 | 6.0.7 |
| llhttp | llhttp | >= 6.0.0 < 6.0.7 | 6.0.7 |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_nodejs_16.16.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_nodejs_14.20.0-1_on_cbl_mariner_1.0 | — | — |
| nodejs | node | >= 10.0 < 10.* | 10.* |
| nodejs | node | >= 11.0 < 11.* | 11.* |
| nodejs | node | >= 12.0 < 12.* | 12.* |
| nodejs | node | >= 13.0 < 13.* | 13.* |
| nodejs | node | >= 14.0 < 14.20.0 | 14.20.0 |
| nodejs | node | >= 15.0 < 15.* | 15.* |
| nodejs | node | >= 16.0 < 16.20.0 | 16.20.0 |
| nodejs | node | >= 17.0 < 17.* | 17.* |
| nodejs | node | >= 18.0 < 18.5.0 | 18.5.0 |
| nodejs | node | >= 4.0 < 4.* | 4.* |
| nodejs | node | >= 5.0 < 5.* | 5.* |
| nodejs | node | >= 6.0 < 6.* | 6.* |
| nodejs | node | >= 7.0 < 7.* | 7.* |
| nodejs | node | >= 8.0 < 8.* | 8.* |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv8.1HIGH