CVE-2022-32215HTTP Request Smuggling in Node

CWE-444HTTP Request Smuggling13 documents10 sources
Severity
6.5MEDIUMNVD
EPSS
87.4%
top 0.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Nodejs NodeNodejsLlhttp+5 more
Timeline
PublishedJul 14
Latest updateNov 21

Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages6 packages

NVDllhttp/llhttp14.0.014.20.1+2
CVEListV5nodejs/node4.04.*+14
NVDnodejs/node.js14.15.014.20.0+4
Debiannodejs/nodejs< 12.22.12~dfsg-1~deb11u3+3

Also affects: Debian Linux 11.0, Fedora 35, 36, 37

Patches

Patch: cert-portal.siemens.comPatch: nodejs.orgPatch: cert-portal.siemens.com

🔴Vulnerability Details

4
OSV
nodejs vulnerabilities2023-11-21
GHSA
GHSA-5492-mr68-4m2h: The llhttp parser in the http module in Node v172022-07-15
OSV
CVE-2022-32215: The llhttp parser <v142022-07-14
CVEList
CVE-2022-32215: The llhttp parser <v142022-07-14

📋Vendor Advisories

6
Ubuntu
Node.js vulnerabilities2023-11-21
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Node.js) — CVE-2022-322152023-04-15
Oracle
Oracle Oracle Java SE Risk Matrix: Node (Node.js) — CVE-2022-322152022-10-15
Microsoft
The llhttp parser <v14.20.1 <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).2022-07-12
Red Hat
nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding2022-07-08

💬Community

2
HackerOne
HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)2022-10-26
HackerOne
CVE-2022-32215 - HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding2022-07-22
CVE-2022-32215 — HTTP Request Smuggling in Nodejs Node | cvebase