PT-2021-4366 · Llhttp+6 · Llhttp+6
Published
2021-10-12
·
Updated
2026-05-18
·
CVE-2021-22960
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
llhttp versions prior to 2.1.4
llhttp versions prior to 6.0.6
Description
The issue is related to the parse function in llhttp, which ignores chunk extensions when parsing the body of chunked requests. This can lead to HTTP Request Smuggling (HRS) under certain conditions. The vulnerability is associated with inconsistencies in interpreting HTTP request headers, which can allow a remote attacker to elevate their privileges.
Recommendations
For llhttp versions prior to 2.1.4, update to version 2.1.4 or later.
For llhttp versions prior to 6.0.6, update to version 6.0.6 or later.
As a temporary workaround, consider restricting access to the parse function until a patch is available.
Exploit
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Red Hat
Rocky Linux
Suse
Llhttp