Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNXZ4LTQ0djQtZ2NoNM4AAtZv
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character (without CR) is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This can lead to HTTP Request Smuggling (HRS).
Permalink: https://github.com/advisories/GHSA-q5vx-44v4-gch4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNXZ4LTQ0djQtZ2NoNM4AAtZv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Percentage: 0.00304
EPSS Percentile: 0.69323
Identifiers: GHSA-q5vx-44v4-gch4, CVE-2022-32214
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-32214
- https://hackerone.com/reports/1524692
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://security.netapp.com/advisory/ntap-20220915-0001/
- https://www.debian.org/security/2023/dsa-5326
- https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
- https://datatracker.ietf.org/doc/html/rfc7230#section-3
- https://github.com/advisories/GHSA-q5vx-44v4-gch4
Blast Radius: 6.4
Affected Packages
npm:llhttp
Dependent packages: 1Dependent repositories: 5
Downloads: 17 last month
Affected Version Ranges: < 6.0.7
Fixed in: 6.0.7
All affected versions: 1.0.1
All unaffected versions: