CVE-2022-32215
CVE-2022-32215
In short
Node.js's HTTP parser fails to properly process Transfer-Encoding headers that span multiple lines, allowing attackers to sneak hidden requests through proxies and firewalls by exploiting this misinterpretation.
Technical detail
The llhttp parser in Node.js versions before 14.20.1, 16.17.1, and 18.9.1 incorrectly parses multi-line Transfer-Encoding headers, enabling HTTP request smuggling attacks where an attacker sends a crafted request that is interpreted differently by frontend and backend servers, leading to request desynchronization and potential unauthorized access or cache poisoning.
Summary generated and translated by AI from the official description.
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Affected products
NodeJS · NodeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfhttps://hackerone.com/reports/1501679https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/https://www.debian.org/security/2023/dsa-5326