CVE-2022-32215

Name
CVE-2022-32215
Description
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
MISC https://hackerone.com/reports/1501679
Patch https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
Third Party Advisory https://www.debian.org/security/2023/dsa-5326
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 18.0.0 < 18.5.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 16.0.0 < 16.20.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* nodejs >= 14.0.0 < 14.20.0
cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:* llhttp >= None < 2.1.5
cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:* llhttp >= 6.0.0 < 6.0.7
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* nodejs >= 14.15.0 < 14.20.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* nodejs >= 16.13.0 < 16.16.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 14.0.0 <= 14.14.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 16.0.0 <= 16.12.0
cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:* llhttp >= 14.0.0 < 14.20.1
cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:* llhttp >= 16.0.0 < 16.17.1
cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:*:*:* llhttp >= 18.0.0 < 18.9.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs-current 3.16-community 18.9.1-r0 Jose-Luis Rivas <ghostbar@riseup.net> fixed
nodejs 3.13-main 14.20.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed