PT-2022-21154 · Node.Js+8 · Node.Js+8

Zeyu Zhang

Published

2022-07-08

Updated

2026-05-18

CVE-2022-32213

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Node.js versions prior to 14.20.1 Node.js versions prior to 16.17.1 Node.js versions prior to 18.9.1

Description The issue arises from the llhttp parser in the http module in Node.js, which does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). All versions of the nodejs 18.x, 16.x, and 14.x release lines are impacted.

Recommendations For Node.js versions prior to 14.20.1, update to version 14.20.1 or later. For Node.js versions prior to 16.17.1, update to version 16.17.1 or later. For Node.js versions prior to 18.9.1, update to version 18.9.1 or later. As a temporary workaround, consider restricting access to the http module until a patch is available.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2022:6448

ALSA-2022:6595

ALT-PU-2022-2701

ALT-PU-2022-3073

ALT-PU-2022-3235

ALT-PU-2023-1461

AZL-10150

AZL-41051

BIT-NODE-2022-32213

BIT-NODE-MIN-2022-32213

CESA-2022_6448

CESA-2022_6449

CLEANSTART-2026-BD71263

CLEANSTART-2026-IS74202

CLEANSTART-2026-JR35772

CLEANSTART-2026-JY06700

CLEANSTART-2026-KN34553

CLEANSTART-2026-KZ45320

CLEANSTART-2026-LJ44720

CLEANSTART-2026-LN12820

CLEANSTART-2026-TX00223

CLEANSTART-2026-WI75198

CVE-2022-32213

DSA-5326-1

GHSA-5689-V88G-G6RV

MGASA-2022-0294

MGASA-2022-0354

OESA-2023-1551

OPENSUSE-SU-2022_2425-1

OPENSUSE-SU-2022_2430-1

OPENSUSE-SU-2022_2491-1

OPENSUSE-SU-2022_2551-1

OPENSUSE-SU-2022_2855-1

OPENSUSE-SU-2022_3614-1

OPENSUSE-SU-2022_3615-1

OPENSUSE-SU-2022_3616-1

OPENSUSE-SU-2022_3656-1

OPENSUSE-SU-2022_3835-1

OPENSUSE-SU-2023_0419-1

OPENSUSE-SU-2024:12199-1

OPENSUSE-SU-2024:12349-1

OPENSUSE-SU-2024:12408-1

OPENSUSE-SU-2025:15095-1

RHSA-2022:6389

RHSA-2022:6448

RHSA-2022:6449

RHSA-2022:6595

RHSA-2022:6985

RHSA-2022_6448

RHSA-2022_6449

RHSA-2022_6595

RLSA-2022:6448

RLSA-2022:6449

RLSA-2022:6595

SUSE-SU-2022:2415-1

SUSE-SU-2022:2416-1

SUSE-SU-2022:2417-1

SUSE-SU-2022:2425-1

SUSE-SU-2022:2430-1

SUSE-SU-2022:2491-1

SUSE-SU-2022:2551-1

SUSE-SU-2022:2855-1

SUSE-SU-2022:3503-1

SUSE-SU-2022:3516-1

SUSE-SU-2022:3524-1

SUSE-SU-2022:3614-1

SUSE-SU-2022:3615-1

SUSE-SU-2022:3616-1

SUSE-SU-2022:3656-1

SUSE-SU-2022:3835-1

SUSE-SU-2022_3503-1

SUSE-SU-2022_3516-1

SUSE-SU-2022_3524-1

SUSE-SU-2022_3614-1

SUSE-SU-2022_3615-1

SUSE-SU-2022_3616-1

SUSE-SU-2022_3656-1

SUSE-SU-2023:0408-1

SUSE-SU-2023:0419-1

USN-6491-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Node.Js

Red Hat

Rocky Linux

Suse

Ubuntu

PT-2022-21154 · Node.Js+8 · Node.Js+8

CVE-2022-32213

Weakness Enumeration

Related Identifiers

Affected Products

References · 320