PT-2021-4365 · Llhttp+6 · Llhttp+6

Published

2021-10-14

·

Updated

2026-05-18

·

CVE-2021-22959

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions llhttp versions prior to 2.1.4 llhttp versions prior to 6.0.6
Description The issue is related to the parser in llhttp, which accepts requests with a space right after the header name before the colon, leading to HTTP Request Smuggling (HRS). This inconsistency in interpreting HTTP request headers can be exploited by a remote attacker to potentially elevate their privileges.
Recommendations For llhttp versions prior to 2.1.4, update to version 2.1.4 or later. For llhttp versions prior to 6.0.6, update to version 6.0.6 or later.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2021:5171
ALSA-2022:0350
ALT-PU-2021-3557
ALT-PU-2021-3615
ALT-PU-2022-3073
BDU:2021-04995
CESA-2021_5171
CESA-2022_0350
CLEANSTART-2026-BD71263
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LJ44720
CLEANSTART-2026-LN12820
CLEANSTART-2026-TX00223
CLEANSTART-2026-WI75198
CVE-2021-22959
DSA-5170-1
MGASA-2021-0592
OESA-2022-1620
OPENSUSE-SU-2021:1552-1
OPENSUSE-SU-2021:1574-1
OPENSUSE-SU-2021:3940-1
OPENSUSE-SU-2021:3964-1
OPENSUSE-SU-2021_1552-1
OPENSUSE-SU-2021_1574-1
OPENSUSE-SU-2021_3940-1
OPENSUSE-SU-2021_3964-1
OPENSUSE-SU-2022_2855-1
OPENSUSE-SU-2024:11616-1
OPENSUSE-SU-2024:11637-1
OPENSUSE-SU-2024:12237-1
OPENSUSE-SU-2025:15095-1
RHSA-2021:5171
RHSA-2021_5171
RHSA-2022:0041
RHSA-2022:0246
RHSA-2022:0350
RHSA-2022:4914
RHSA-2022_0350
RLSA-2021:5171
RLSA-2022:0350
SUSE-SU-2021:3886-1
SUSE-SU-2021:3940-1
SUSE-SU-2021:3964-1
SUSE-SU-2021_3886-1
SUSE-SU-2021_3940-1
SUSE-SU-2021_3964-1
SUSE-SU-2022:0101-1
SUSE-SU-2022:2855-1
SUSE-SU-2022_0101-1

Affected Products

Alt Linux
Almalinux
Centos
Red Hat
Rocky Linux
Suse
Llhttp