1. Home
  2. Vulnerabilities
  3. CVE-2021-22959

CVE-2021-22959

CVSS v3.1 6.5 (Medium)
65% Progress
CVSS v2.0 6.4 (Medium)
64% Progress
EPSS 0.34 % (72th)
0.34% Progress
Affected Products 3
Advisories 27
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

Weaknesses
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE Status
PUBLISHED
CNA
HackerOne
Published Date
2021-11-15 15:15:06
(2 years ago)
Updated Date
2022-12-09 16:14:48
(21 months ago)

Affected Products

Debian

Llhttp

Oracle

Configuration #1

    CPE23 From Up To
  Llhttp for Node.js prior 2.1.4 version cpe:2.3:a:llhttp:llhttp::*:*:*:*:node.js < 2.1.4
  Llhttp for Node.js from 3.0.0 version and prior 6.0.6 version cpe:2.3:a:llhttp:llhttp::*:*:*:*:node.js >= 3.0.0 < 6.0.6

Configuration #2

    CPE23 From Up To
  Oracle Graalvm 20.3.4 cpe:2.3:a:oracle:graalvm:20.3.4:*:*:*:enterprise
  Oracle Graalvm 21.3.0 cpe:2.3:a:oracle:graalvm:21.3.0:*:*:*:enterprise

Configuration #3

    CPE23 From Up To
  Debian Linux 11.0 cpe:2.3:o:debian:debian_linux:11.0