Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-32215

UNKNOWN
Published 2022-07-14T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-32215. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

NodeJS

Node

Affected Versions:

4.0 5.0 6.0 7.0 8.0 9.0 10.0 11.0 12.0 13.0 14.0 15.0 16.0 17.0 18.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed CRITICAL

GHSA-5492-mr68-4m2h

Advisory Details

The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-32215
WEB https://hackerone.com/reports/1501679
WEB https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY
WEB https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
WEB https://security.netapp.com/advisory/ntap-20220915-0001
WEB https://www.debian.org/security/2023/dsa-5326

Advisory provided by GitHub Security Advisory Database. Published: July 15, 2022, Modified: January 26, 2023

References

https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
https://hackerone.com/reports/1501679
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://www.debian.org/security/2023/dsa-5326

HackerOne Reports

HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215) Medium
shacharm
Node.js
HTTP Request Smuggling
View Report
Published: 2022-07-14T00:00:00
Last Modified: 2025-04-30T22:24:42.485Z
Copied to clipboard!