GHSA-cggh-pq45-6h9x

Suggest an improvement
Source
https://github.com/advisories/GHSA-cggh-pq45-6h9x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cggh-pq45-6h9x/GHSA-cggh-pq45-6h9x.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cggh-pq45-6h9x
Aliases
Related
Published
2023-07-01T00:30:46Z
Modified
2024-09-11T06:12:29.654924Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
llhttp vulnerable to HTTP request smuggling
Details

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Database specific
{
    "nvd_published_at": "2023-07-01T00:15:10Z",
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-11T22:45:02Z"
}
References

Affected packages

npm / llhttp

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.1.1