CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
58.0%
llhttp is vulnerable to HTTP Request Smuggling (HRS). The vulnerability exists because the http.js
does not properly handle the CRLF sequence, allowing an attacker to smuggle HTTP requests by submitting Line feed (LF) characters without a Carriage Return (CR).
github.com/advisories/GHSA-cggh-pq45-6h9x
github.com/nodejs/llhttp/commit/7e18596bae8f63692ded9d3250d5d984fe90dcfb
hackerone.com/reports/2001873
lists.fedoraproject.org/archives/list/[email protected]/message/HMEELCREWMRT6NS7HWXLA6XFLLMO36HE/
lists.fedoraproject.org/archives/list/[email protected]/message/IV326O2X4BE3SINX5FJHMAKVHUAA4ZYF/
lists.fedoraproject.org/archives/list/[email protected]/message/UEJWL67XR67JAGEL2ZK22NA3BRKNMZNY/
lists.fedoraproject.org/archives/list/[email protected]/message/VCVG4TQRGTK4LKAZKVEQAUEJM7DUACYE/
lists.fedoraproject.org/archives/list/[email protected]/message/VEEQIN5242K5NBE2CZ4DYTNA5B4YTYE5/
lists.fedoraproject.org/archives/list/[email protected]/message/VKFMKD4MJZIKFQJAAJ4VZ2FHIJ764A76/
security.netapp.com/advisory/ntap-20230803-0009/
security.netapp.com/advisory/ntap-20240621-0006/