CVE-2021-22960: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

November 3, 2021 (updated January 20, 2023)

The parse function in llhttp ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

References

hackerone.com/reports/1238099
nvd.nist.gov/vuln/detail/CVE-2021-22960

Detect and mitigate CVE-2021-22960 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →