6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.007 Low
EPSS
Percentile
77.6%
llhttp is vulnerable to HTTP request smuggling. The vulnerability exists because the http.js
does not properly handle the CRLF sequence, allowing an attacker to smuggle HTTP requests by submitting LF characters without CR.
github.com/nodejs/llhttp/commit/4b9b57d9a62ae6bc6f31a8a485ca58a9f090493f
github.com/nodejs/llhttp/commit/cc6b967e7fe849d3916b905fd0d41225b3e0c929
github.com/nodejs/llhttp/pull/161
github.com/nodejs/llhttp/pull/162
hackerone.com/reports/1524692
nodejs.org/en/blog/vulnerability/july-2022-security-releases/
security.netapp.com/advisory/ntap-20220915-0001/
www.debian.org/security/2023/dsa-5326
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.007 Low
EPSS
Percentile
77.6%