Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:41513
HistoryJul 23, 2023 - 4:52 a.m.

HTTP Request Smuggling (HRS)

2023-07-2304:52:48
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
15
http request smuggling
llhttp
software vulnerability
crlf sequence

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

58.0%

llhttp is vulnerable to HTTP Request Smuggling (HRS). The vulnerability exists because the http.js does not properly handle the CRLF sequence, allowing an attacker to smuggle HTTP requests by submitting Line feed (LF) characters without a Carriage Return (CR).

References

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

58.0%