CVE-2022-32214
MEDIUMllhttp < 2.1.5 - HTTP Request Smuggling via CRLF Sequence Mismanagement
Title source: llmDescription
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
References (3)
Core 3
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5326
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/1524692
Patch, Vendor Advisory
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
Scores
CVSS v3
6.5
EPSS
0.7691
EPSS Percentile
99.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-444
Status
published
Products (6)
debian/debian_linux
11.0
llhttp/llhttp
< 2.1.5
nodejs/node.js
14.0.0 - 14.14.0
nodejs/node.js
14.15.0 - 14.20.0
npm/llhttp
0 - 6.0.7npm
stormshield/stormshield_management_center
< 3.3.0
Published
Jul 14, 2022
Tracked Since
Feb 18, 2026