The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character (without CR) is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This can lead to HTTP Request Smuggling (HRS).

Affected Packages

npm llhttp

Affected versions: 0 (fixed in 6.0.7)

Related CVEs

CVE-2022-32214

Key Information

GHSA ID

GHSA-q5vx-44v4-gch4

Published

July 15, 2022 12:00 AM

Last Modified

July 11, 2023 12:18 AM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

llhttp

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.