CVE-2022-35256

CVE-2022-35256 concerns the llhttp parser used by Node.js (http module) where header fields not terminated with CRLF can enable HTTP Request Smuggling. The issue is present in Node.js builds that include the llhttp version affected and has been addressed by package updates in multiple distributio...

CVE-2021-22960

CVE-2021-22960 affects the llhttp parser used by Node.js (http module). The vulnerability is due to the parser ignoring chunk extensions when parsing the body of chunked requests, enabling HTTP Request Smuggling under certain proxy scenarios. Affected versions are llhttp before 2.1.4 and before 6...

CVE-2021-22959

CVE-2021-22959 relates to HTTP Request Smuggling in the llhttp parser when a space follows a header name before the colon. Affected llhttp versions are < v2.1.4 and

CVE-2022-32215

CVE-2022-32215 concerns the llhttp parser used by Node.js. The http module can mis-handle multi-line Transfer-Encoding headers in vulnerable builds, enabling HTTP Request Smuggling (HRS). Affected are Node.js ships with llhttp < v14.20.1, < v16.17.1, and

CVE-2022-32213

CVE-2022-32213 concerns the llhttp parser in Node.js’ http module, where the parser may incorrectly parse and validate Transfer-Encoding headers, enabling HTTP Request Smuggling (HRS). The vulnerability is cited in multiple advisories (Debian, Red Hat, and Amazon Linux family) as part of a set in...

CVE-2022-32214

CVE-2022-32214 affects the Node.js http module via the llhttp parser, where versions <14.20.1, <16.17.1, and =14.20.1, >=16.17.1, >=18.9.1 or newer Node.js releases that bundle these llhttp versions). If exploitation details or CVSS changes are needed, refer to the linked advisories i...