CVE-2022-32215
14.07.2022, 15:15
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
| Vendor | Product | Version |
|---|---|---|
| llhttp | llhttp | 14.0.0 ≤ 𝑥 < 14.20.1 |
| llhttp | llhttp | 16.0.0 ≤ 𝑥 < 16.17.1 |
| llhttp | llhttp | 18.0.0 ≤ 𝑥 < 18.9.1 |
| nodejs | node.js | 14.0.0 ≤ 𝑥 ≤ 14.14.0 |
| nodejs | node.js | 14.15.0 ≤ 𝑥 < 14.20.0 |
| nodejs | node.js | 16.0.0 ≤ 𝑥 ≤ 16.12.0 |
| nodejs | node.js | 16.13.0 ≤ 𝑥 < 16.16.0 |
| nodejs | node.js | 18.0.0 ≤ 𝑥 < 18.5.0 |
| siemens | sinec_ins | 1.0 |
| siemens | sinec_ins | 1.0:sp1 |
| siemens | sinec_ins | 1.0:sp2 |
| debian | debian_linux | 11.0 |
| stormshield | stormshield_management_center | 𝑥 < 3.3.2 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
References