MidnightBSD

Advisories for llhttp

CVE-2021-22959 MEDIUM

The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
debian debian_linux 11.0
oracle graalvm 21.3.0
llhttp llhttp *
oracle graalvm 20.3.4
CVE-2021-22960 MEDIUM

The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
debian debian_linux 11.0
oracle graalvm 21.3.0
llhttp llhttp *
oracle graalvm 20.3.4
CVE-2022-32213

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
fedoraproject fedora 35
nodejs node.js *
debian debian_linux 11.0
fedoraproject fedora 37
llhttp llhttp *
fedoraproject fedora 36
siemens sinec_ins 1.0
stormshield stormshield_management_center *
CVE-2022-32214

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
nodejs node.js *
debian debian_linux 11.0
llhttp llhttp *
stormshield stormshield_management_center *
CVE-2022-32215

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
fedoraproject fedora 35
nodejs node.js *
debian debian_linux 11.0
fedoraproject fedora 37
llhttp llhttp *
fedoraproject fedora 36
siemens sinec_ins 1.0
stormshield stormshield_management_center *
CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
nodejs node.js *
debian debian_linux 11.0
siemens sinec_ins *
llhttp llhttp *
siemens sinec_ins 1.0