1. Home
  2. Vulnerabilities
  3. CVE-2022-32215

CVE-2022-32215

CVSS v3.1 6.5 (Medium)
65% Progress
EPSS 0.37 % (73th)
0.37% Progress
Affected Products 6
Advisories 32
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

Weaknesses
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE Status
PUBLISHED
CNA
HackerOne
Published Date
2022-07-14 15:15:08
(2 years ago)
Updated Date
2023-11-07 03:47:46
(10 months ago)

Affected Products

Debian

Fedoraproject

Llhttp

Nodejs

Siemens

Stormshield

Configuration #1

    CPE23 From Up To
  Llhttp for Node.js from 14.0.0 version and prior 14.20.1 version cpe:2.3:a:llhttp:llhttp::*:*:*:*:node.js >= 14.0.0 < 14.20.1
  Llhttp for Node.js from 16.0.0 version and prior 16.17.1 version cpe:2.3:a:llhttp:llhttp::*:*:*:*:node.js >= 16.0.0 < 16.17.1
  Llhttp from 18.0.0 version and prior 18.9.1 version cpe:2.3:a:llhttp:llhttp >= 18.0.0 < 18.9.1
  Nodejs Node.js from 14.0.0 version and 14.14.0 and prior versions cpe:2.3:a:nodejs:node.js::*:*:*:- >= 14.0.0 <= 14.14.0
  Nodejs Node.js from 14.15.0 version and prior 14.20.0 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 14.15.0 < 14.20.0
  Nodejs Node.js from 16.0.0 version and 16.12.0 and prior versions cpe:2.3:a:nodejs:node.js::*:*:*:- >= 16.0.0 <= 16.12.0
  Nodejs Node.js from 16.13.0 version and prior 16.16.0 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 16.13.0 < 16.16.0
  Nodejs Node.js from 18.0.0 version and prior 18.5.0 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 18.0.0 < 18.5.0

Configuration #2

    CPE23 From Up To
  Fedoraproject Fedora 35 cpe:2.3:o:fedoraproject:fedora:35
  Fedoraproject Fedora 36 cpe:2.3:o:fedoraproject:fedora:36
  Fedoraproject Fedora 37 cpe:2.3:o:fedoraproject:fedora:37

Configuration #3

    CPE23 From Up To
  Siemens Sinec Ins 1.0 cpe:2.3:a:siemens:sinec_ins:1.0:-
  Siemens Sinec Ins 1.0 SP1 cpe:2.3:a:siemens:sinec_ins:1.0:sp1
  Siemens Sinec Ins 1.0 SP2 cpe:2.3:a:siemens:sinec_ins:1.0:sp2

Configuration #4

    CPE23 From Up To
  Debian Linux 11.0 cpe:2.3:o:debian:debian_linux:11.0

Configuration #5

    CPE23 From Up To
  Stormshield Management Center prior 3.3.2 version cpe:2.3:a:stormshield:stormshield_management_center < 3.3.2