The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

Impacts:

- All versions of the nodejs 18.x, 16.x, and 14.x releases lines.
- llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

Affected Packages

npm llhttp

Affected versions: 0 (fixed in 6.0.7)

Related CVEs

CVE-2022-32213

Key Information

GHSA ID

GHSA-5689-v88g-g6rv

Published

July 15, 2022 12:00 AM

Last Modified

July 10, 2023 9:31 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

llhttp

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 21, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.