CVSS: 6.5EPSS: 3%CPEs: 11EXPL: 1CVE-2022-35256 – nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
https://notcve.org/view.php?id=CVE-2022-35256
18 Oct 2022 — The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. El analizador llhttp en el módulo http en Node v18.7.0 no maneja correctamente los campos de encabezado que no terminan con CLRF. Esto puede resultar en tráfico ilegal de solicitudes HTTP. A vulnerability was found in NodeJS due to improper validation of HTTP requests. • https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.5EPSS: 89%CPEs: 15EXPL: 1CVE-2022-32213 – nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding
https://notcve.org/view.php?id=CVE-2022-32213
14 Jul 2022 — The llhttp parser
CVSS: 6.5EPSS: 68%CPEs: 9EXPL: 1CVE-2022-32214 – nodejs: HTTP request smuggling due to improper delimiting of header fields
https://notcve.org/view.php?id=CVE-2022-32214
14 Jul 2022 — The llhttp parser
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 1CVE-2021-22959 – llhttp: HTTP Request Smuggling due to spaces in headers
https://notcve.org/view.php?id=CVE-2021-22959
15 Nov 2021 — The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. El parser en acepta peticiones con un espacio (SP) justo después del nombre del encabezado antes de los dos puntos. Esto puede conllevar a un contrabando de peticiones HTTP (HRS) en llhttp versiones anteriores a v2.1.4 y versiones anteriores a v6.0.6 An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by ... • https://hackerone.com/reports/1238709 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 1CVE-2021-22960 – llhttp: HTTP Request Smuggling when parsing the body of chunked requests
https://notcve.org/view.php?id=CVE-2021-22960
03 Nov 2021 — The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. La función parse en llhttp versiones anteriores a 2.1.4 y versiones anteriores a 6.0.6. ignora las extensiones chunk cuando analiza el cuerpo de las peticiones chunked. Esto conlleva a un Contrabando de Peticiones HTTP (HRS) bajo determinadas condiciones An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp ... • https://hackerone.com/reports/1238099 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •