CVE-2022-32214

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

References

Affected packages

Git / github.com/nodejs/llhttp

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/llhttp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f014c23bffb327f3749c6222e96247aec73a1caf

Affected versions

v1.*

v1.0.1

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-32214.json"

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

c1da528bc25c9cc5a8240a7b4f136f5968f6e113

Fixed

50871b58d79c2493df7ed594d543df8a4162f4a4

Affected versions

v14.*

v14.15.0

v14.15.1

v14.15.2

v14.15.3

v14.15.4

v14.15.5

v14.16.0

v14.16.1

v14.17.0

v14.17.1

v14.17.2

v14.17.3

v14.17.4

v14.17.5

v14.17.6

v14.18.0

v14.18.1

v14.18.2

v14.18.3

v14.19.0

v14.19.1

v14.19.2

v14.19.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-32214.json"