nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS, causing web cache poisoning, and conducting XSS attacks...

nodejs: HTTP request smuggling due to improper delimiting of header fields

A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling HRS. This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitra...

Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields

Summary: The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. Description: The following chunked request is processed. It should be rejected as Transfer-Encoding header obfuscatio...

Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)

Summary: Due to an incomplete fix for CVE-2022-32215, the llhttp parser in the http module in Node v16.16.0 and 18.7.0 still does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS. Description: add more details about this vulnerability We have...

The llhttp parser <v14.20.1 <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

...

The llhttp parser <v14.20.1 <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

...

The llhttp parser <v14.20.1 <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

...

SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2022:2417-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:2417-1 advisory. - AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the dat...

SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2022:2415-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:2415-1 advisory. - A OS Command Injection vulnerability exists in Node.js versions 14.20.0, 16.20.0, 18.5.0 due to an insufficient IsAllowedHost che...

llhttp: HTTP Request Smuggling when parsing the body of chunked requests

An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied such as proxy, reverse-proxy, load-balancer, an...

llhttp: HTTP Request Smuggling due to spaces in headers

An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied such as proxy, reverse-proxy, load-balancer, an attacker can use this flaw to inject...

ds-mcp (>=1.0.9 <=1.0.11) potentially affected by CVE-2022-32214 via llhttp (=1.0.1)

llhttp NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on llhttp and may be impacted: - ds-mcp =1.0.9, =1.0.11 Source cves: CVE-2022-32214 Source advisory: OSV:GHSA-Q5VX-44V4-GCH4...

llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding

The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS. Impacts: - All versions of the nodejs 18.x, 16.x, and 14.x releases lines. - llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that we...

ds-mcp (>=1.0.9 <=1.0.11) potentially affected by CVE-2022-32213 via llhttp (=1.0.1)

llhttp NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on llhttp and may be impacted: - ds-mcp =1.0.9, =1.0.11 Source cves: CVE-2022-32213 Source advisory: OSV:GHSA-5689-V88G-G6RV...

llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields

The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character without CR is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field...

GHSA-5689-V88G-G6RV llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding

The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS. Impacts: - All versions of the nodejs 18.x, 16.x, and 14.x releases lines. - llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that we...

GHSA-Q5VX-44V4-GCH4 llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields

The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character without CR is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field...

AZL-10153 CVE-2022-32215 affecting package nodejs for versions less than 16.16.0-1

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS...

AZL-10150 CVE-2022-32213 affecting package nodejs for versions less than 16.20.2-4

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...

DEBIAN-CVE-2022-32213

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...