HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling in the llhttp implementation, when handing HTTP/1 headers terminated with \r\n\rX instead of the required \r\n\r\n. This allows attackers to bypass proxy-based access controls and submit unauthorized requests...

Fedora 41 : llhttp / python-aiohttp (2024-8deaadd998)

The remote Fedora 41 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2024-8deaadd998 advisory. Update llhttp to 9.2.1, fixing CVE-2024-27982. Backport llhttp 9.2.1 support to python-aiohttp 3.9.3. Tenable has extracted the preceding description block...

Fedora 37 : llhttp (2022-9e7f967d20)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-9e7f967d20 advisory. Update to v6.0.10 - Disable chunked on obs https://github.com/nodejs/llhttp/pull/196 https://github.com/nodejs/llhttp/compare/v6.0.9...v6.0.10 Tenable has...

SUSE CVE-2021-22960

The parse function in llhttp 2.1.4 and 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling HRS under certain conditions...

ds-mcp (>=1.0.9 <=1.0.11) potentially affected by CVE-2022-32214 via llhttp (=1.0.1)

llhttp NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on llhttp and may be impacted: - ds-mcp =1.0.9, =1.0.11 Source cves: CVE-2022-32214 Source advisory: OSV:GHSA-Q5VX-44V4-GCH4...

ds-mcp (>=1.0.9 <=1.0.11) potentially affected by CVE-2022-32213 via llhttp (=1.0.1)

llhttp NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on llhttp and may be impacted: - ds-mcp =1.0.9, =1.0.11 Source cves: CVE-2022-32213 Source advisory: OSV:GHSA-5689-V88G-G6RV...

UBUNTU-CVE-2021-22959

The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS in llhttp v2.1.4 and v6.0.6...

Design/Logic Flaw

The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS in llhttp v2.1.4 and v6.0.6...

DEBIAN-CVE-2021-22960

The parse function in llhttp 2.1.4 and 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling HRS under certain conditions...

ALPINE-CVE-2021-22960

The parse function in llhttp 2.1.4 and 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling HRS under certain conditions...