CVE-2022-32214

CVSS v3.1 6.5 (Medium)

EPSS 0.22 % (61^th)

Affected Products 4

Advisories 27

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

Weaknesses

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2022-07-14 15:15:08
(2 years ago)
Updated Date: 2023-07-19 00:55:52
(14 months ago)

Affected Products

Configuration #1

	CPE23	From	Up To
Llhttp for Node.js prior 2.1.5 version	cpe:2.3:a:llhttp:llhttp::::::node.js		< 2.1.5
Llhttp for Node.js from 6.0.0 version and prior 6.0.7 version	cpe:2.3:a:llhttp:llhttp::::::node.js	>= 6.0.0	< 6.0.7
Nodejs Node.js from 14.0.0 version and 14.14.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 14.0.0	<= 14.14.0
Nodejs Node.js from 14.15.0 version and prior 14.20.0 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 14.15.0	< 14.20.0
Nodejs Node.js from 16.0.0 version and 16.12.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 16.0.0	<= 16.12.0
Nodejs Node.js from 16.13.0 version and prior 16.16.0 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 16.13.0	< 16.16.0
Nodejs Node.js from 18.0.0 version and prior 18.5.0 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 18.0.0	< 18.5.0

Configuration #2

		CPE23	From	Up To
	Debian Linux 11.0	cpe:2.3:o:debian:debian_linux:11.0

Configuration #3

		CPE23	From	Up To
	Stormshield Management Center prior 3.3.0 version	cpe:2.3:a:stormshield:stormshield_management_center		< 3.3.0

Weaknesses

Affected Products

Debian

Llhttp

Nodejs

Stormshield

Configuration #1

Configuration #2

Configuration #3