GHSA-q5vx-44v4-gch4

Suggest an improvement
Source
https://github.com/advisories/GHSA-q5vx-44v4-gch4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-q5vx-44v4-gch4/GHSA-q5vx-44v4-gch4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q5vx-44v4-gch4
Aliases
Published
2022-07-15T00:00:18Z
Modified
2023-12-06T00:47:18.980060Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
Details

The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character (without CR) is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This can lead to HTTP Request Smuggling (HRS).

References

Affected packages

npm / llhttp

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.7