CVE-2022-32213
CVE-2022-32213
In short
Node.js versions before 14.20.1, 16.17.1, and 18.9.1 have a flaw in how they parse Transfer-Encoding headers in HTTP requests, allowing attackers to sneak malicious requests past security filters by exploiting this parsing mistake.
Technical detail
The llhttp parser in Node.js's http module fails to correctly parse and validate Transfer-Encoding headers, enabling HTTP Request Smuggling attacks. An attacker can craft specially formed requests with ambiguous Transfer-Encoding values to bypass request filtering, potentially allowing unauthorized access to backend services or cache poisoning. The vulnerability affects versions below 14.20.1, 16.17.1, and 18.9.1.
Summary generated and translated by AI from the official description.
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
Affected products
NodeJS · NodeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfhttps://hackerone.com/reports/1524555https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/https://www.debian.org/security/2023/dsa-5326