CVE-2021-22959

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in npm/llhttp

Identifiers

CVE-2021-22959

Package Slug

npm/llhttp

Vulnerability

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Description

The llhttp parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).

Affected Versions

All versions before 2.1.4, all versions starting from 3.0.0 before 6.0.6

Solution

Upgrade to version 2.1.4, 6.0.6 or above.

Last Modified

2021-11-18

source