CVE-2022-32215

MEDIUM

Llhttp < 14.20.1 - HTTP Request Smuggling

Title source: rule

Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

References (7)

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5326

[Patch, Third Party Advisory] https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/1501679

[Patch, Vendor Advisory] https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/

Scores

CVSS v3 6.5

EPSS 0.8739

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-444

Status published

Products (10)

debian/debian_linux 11.0

fedoraproject/fedora 35

fedoraproject/fedora 36

fedoraproject/fedora 37

llhttp/llhttp 14.0.0 - 14.20.1

llhttp/llhttp 18.0.0 - 18.9.1

nodejs/node.js 14.0.0 - 14.14.0

nodejs/node.js 14.15.0 - 14.20.0

siemens/sinec_ins 1.0 (3 CPE variants)

stormshield/stormshield_management_center < 3.3.2

Published Jul 14, 2022

Tracked Since Feb 18, 2026