CVE-2022-32214

MEDIUM

Llhttp < 2.1.5 - HTTP Request Smuggling

Title source: rule

Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

References (3)

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5326

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/1524692

[Patch, Vendor Advisory] https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/

Scores

CVSS v3 6.5

EPSS 0.3929

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-444

Status published

Products (6)

debian/debian_linux 11.0

llhttp/llhttp < 2.1.5

nodejs/node.js 14.0.0 - 14.14.0

nodejs/node.js 14.15.0 - 14.20.0

npm/llhttp 0 - 6.0.7npm

stormshield/stormshield_management_center < 3.3.0

Published Jul 14, 2022

Tracked Since Feb 18, 2026