The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "nodejs-doc": "12.22.9~dfsg-1ubuntu3", "libnode72": "12.22.9~dfsg-1ubuntu3", "nodejs": "12.22.9~dfsg-1ubuntu3", "libnode-dev": "12.22.9~dfsg-1ubuntu3", "libnode72-dbgsym": "12.22.9~dfsg-1ubuntu3", "nodejs-dbgsym": "12.22.9~dfsg-1ubuntu3" } ] }