CVE-2022-32214

The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

CVSS v3.0 9.1 CRITICAL

9.1^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://hackerone.com/reports/1524692	Exploit Issue Tracking Third Party Advisory
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:llhttp:llhttp::::::node.js::*
	cpe:2.3:a:llhttp:llhttp::::::node.js::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

Information

Published : 2022-07-14 15:15

Updated : 2022-07-27 15:56

NVD link : CVE-2022-32214

Mitre link : CVE-2022-32214

JSON object : View

Products Affected

nodejs

node.js

llhttp

llhttp

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://hackerone.com/reports/1524692", "name": "https://hackerone.com/reports/1524692", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-444"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-32214", "ASSIGNER": "cve-assignments@hackerone.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}}, "publishedDate": "2022-07-14T15:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.1.5"}, {"cpe23Uri": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.0.7", "versionStartIncluding": "6.0.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "18.5.0", "versionStartIncluding": "18.0.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "14.20.0", "versionStartIncluding": "14.15.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.16.0", "versionStartIncluding": "16.13.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "14.14.0", "versionStartIncluding": "14.0.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "16.12.0", "versionStartIncluding": "16.0.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-07-27T15:56Z"}