CVE-2022-32215
6.5MEDIUMThe llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Published: 7/14/2022Updated: 11/21/2024
Description
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
AI AnalysisPowered by AI
Affected Products
llhttpllhttp
llhttpllhttp
llhttpllhttp
nodejsnode.js
nodejsnode.js
nodejsnode.js
nodejsnode.js
nodejsnode.js
fedoraprojectfedora
35
fedoraprojectfedora
36
fedoraprojectfedora
37
siemenssinec_ins
1.0
siemenssinec_ins
1.0
siemenssinec_ins
1.0
debiandebian_linux
11.0
stormshieldstormshield_management_center
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1501679ExploitIssue TrackingThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/PatchVendor Advisory
- https://www.debian.org/security/2023/dsa-5326Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1501679ExploitIssue TrackingThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/PatchVendor Advisory
- https://www.debian.org/security/2023/dsa-5326Third Party Advisory