CVE-2022-32214

EPSS 77.3%CWE-444

In short

Node.js's HTTP parser accepts HTTP requests that don't follow the strict line-ending standard, allowing attackers to trick servers into processing malicious requests hidden in legitimate traffic.

Technical detail

The llhttp parser in Node.js http module fails to strictly validate CRLF delimiters in HTTP request boundaries, enabling HTTP Request Smuggling attacks where an attacker sends malformed requests that are interpreted differently by front-end and back-end proxies, potentially bypassing security controls.

Summary generated and translated by AI from the official description.

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

Affected products

NodeJS · Node

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://hackerone.com/reports/1524692 https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/https://www.debian.org/security/2023/dsa-5326