CVE-2022-32215
published 2022-07-14CVE-2022-32215: The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead…
medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Affected
43 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | llhttp | < nodejs 18.6.0+dfsg-3 (bookworm) | nodejs 18.6.0+dfsg-3 (bookworm) |
| debian | nodejs | < nodejs 18.6.0+dfsg-3 (bookworm) | nodejs 18.6.0+dfsg-3 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| llhttp | llhttp | >= 14.0.0 < 14.20.1 | 14.20.1 |
| llhttp | llhttp | >= 16.0.0 < 16.17.1 | 16.17.1 |
| llhttp | llhttp | >= 18.0.0 < 18.9.1 | 18.9.1 |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_nodejs_16.16.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_nodejs_14.20.0-1_on_cbl_mariner_1.0 | — | — |
| nodejs | node | >= 10.0 < 10.* | 10.* |
| nodejs | node | >= 11.0 < 11.* | 11.* |
| nodejs | node | >= 12.0 < 12.* | 12.* |
| nodejs | node | >= 13.0 < 13.* | 13.* |
| nodejs | node | >= 14.0 < 14.20.1 | 14.20.1 |
| nodejs | node | >= 15.0 < 15.* | 15.* |
| nodejs | node | >= 16.0 < 16.17.1 | 16.17.1 |
| nodejs | node | >= 17.0 < 17.* | 17.* |
| nodejs | node | >= 18.0 < 18.9.1 | 18.9.1 |
| nodejs | node | >= 4.0 < 4.* | 4.* |
| nodejs | node | >= 5.0 < 5.* | 5.* |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv8.1HIGH