PT-2022-3606 · Node.Js+8 · Node.Js+8
Zeyu Zhang
+1
·
Published
2022-07-07
·
Updated
2026-05-18
·
CVE-2022-32214
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Node.js versions prior to 14.20.1
Node.js versions prior to 16.17.1
Node.js versions prior to 18.9.1
Description
The issue is related to the llhttp parser in the http module in Node.js, which does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS), allowing a remote attacker to perform an attack. The LF character (without CR) is sufficient to delimit HTTP header fields in the llhttp parser, which contradicts RFC7230 section 3 that states only the CRLF sequence should delimit each header-field.
Recommendations
For versions prior to 14.20.1, update to version 14.20.1 or later.
For versions prior to 16.17.1, update to version 16.17.1 or later.
For versions prior to 18.9.1, update to version 18.9.1 or later.
Exploit
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Linuxmint
Node.Js
Red Hat
Rocky Linux
Suse
Ubuntu