CVE-2021-22960
03.11.2021, 20:15
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| llhttp | llhttp | 𝑥 < 2.1.4 |
| llhttp | llhttp | 3.0.0 ≤ 𝑥 < 6.0.6 |
| oracle | graalvm | 20.3.4 |
| oracle | graalvm | 21.3.0 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| nodejs10 |
| ||||||||||||
| nodejs10-devel |
| ||||||||||||
| nodejs10-docs |
| ||||||||||||
| nodejs12 |
| ||||||||||||
| nodejs12-devel |
| ||||||||||||
| nodejs12-docs |
| ||||||||||||
| nodejs14 |
| ||||||||||||
| nodejs14-devel |
| ||||||||||||
| nodejs14-docs |
| ||||||||||||
| npm10 |
| ||||||||||||
| npm12 |
| ||||||||||||
| npm14 |
|