CVE-2022-32214
UNKNOWN
Published 2022-07-14T00:00:00
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2022-32214. We'll provide specific mitigation strategies based on your environment and risk profile.
No CVSS data available
Description
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
Affected Products
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
✓ GitHub Reviewed
CRITICAL
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
GHSA-q5vx-44v4-gch4Advisory Details
The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character (without CR) is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This can lead to HTTP Request Smuggling (HRS).
Affected Packages
npm
llhttp
ECOSYSTEM:
≥0
<6.0.7
CVSS Scoring
CVSS Score
9.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
Advisory provided by GitHub Security Advisory Database. Published: July 15, 2022, Modified: July 11, 2023
References
Published: 2022-07-14T00:00:00
Last Modified: 2025-04-30T22:24:43.342Z
Copied to clipboard!