CVE-2022-32215

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in npm/llhttp

Identifiers

CVE-2022-32215

Package Slug

npm/llhttp

Vulnerability

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Description

The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

Affected Versions

All versions before 2.1.5, all versions starting from 6.0.0 before 6.0.7

Solution

Upgrade to version 2.1.5, 6.0.7, or above.

Last Modified

2022-07-26

source