CVE-2021-22960
6.5MEDIUMThe parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
Published: 11/3/2021Updated: 11/21/2024
Description
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
AI AnalysisPowered by AI
Affected Products
llhttpllhttp
llhttpllhttp
oraclegraalvm
20.3.4
oraclegraalvm
21.3.0
debiandebian_linux
11.0
References
- https://hackerone.com/reports/1238099ExploitIssue TrackingThird Party Advisory
- https://www.debian.org/security/2022/dsa-5170Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://hackerone.com/reports/1238099ExploitIssue TrackingThird Party Advisory
- https://www.debian.org/security/2022/dsa-5170Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory