[NPM:GHSA-Q5VX-44V4-GCH4] llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields

Severity Critical

Affected Packages 1

Fixed Packages 1

CVEs 1

The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character (without CR) is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This can lead to HTTP Request Smuggling (HRS).

Package	Affected Version
pkg:npm/llhttp	< 6.0.7

Package	Fixed Version
pkg:npm/llhttp	= 6.0.7

ID

NPM:GHSA-Q5VX-44V4-GCH4

Severity

critical

URL

https://github.com/advisories/GHSA-q5vx-44v4-gch4

Published

2022-07-15T00:00:18
(2 years ago)

Modified

2023-07-11T00:18:18
(14 months ago)

Rights

NPM Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2022-32214
			https://hackerone.com/reports/1524692
			https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
			https://security.netapp.com/advisory/ntap-20220915-0001/
			https://www.debian.org/security/2023/dsa-5326
			https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
			https://datatracker.ietf.org/doc/html/rfc7230#section-3
			https://github.com/advisories/GHSA-q5vx-44v4-gch4

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:npm/llhttp		llhttp	< 6.0.7
Fixed	pkg:npm/llhttp		llhttp	= 6.0.7

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date