Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-32213

UNKNOWN
Published 2022-07-14T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-32213. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

NodeJS

Node

Affected Versions:

4.0 5.0 6.0 7.0 8.0 9.0 10.0 11.0 12.0 13.0 14.0 15.0 16.0 17.0 18.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding

GHSA-5689-v88g-g6rv

Advisory Details

The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Impacts: - All versions of the nodejs 18.x, 16.x, and 14.x releases lines. - llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

Affected Packages

npm llhttp
ECOSYSTEM: ≥0 <6.0.7

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-32213
WEB https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
WEB https://hackerone.com/reports/1524555
WEB https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY
WEB https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
WEB https://security.netapp.com/advisory/ntap-20220915-0001
WEB https://www.debian.org/security/2023/dsa-5326

Advisory provided by GitHub Security Advisory Database. Published: July 15, 2022, Modified: July 10, 2023

References

https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
https://hackerone.com/reports/1524555
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://www.debian.org/security/2023/dsa-5326

HackerOne Reports

CVE-2022-32213 bypass via obs-fold mechanic Medium
haxatron1
Node.js
HTTP Request Smuggling
View Report
Published: 2022-07-14T00:00:00
Last Modified: 2025-04-30T22:24:45.103Z
Copied to clipboard!