CVE-2022-32213
nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding
Severity Score
Exploit Likelihood
Affected Versions
15Public Exploits
1Exploited in Wild
-Decision
Descriptions
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
El analizador llhttp anteriores a la versión v14.20.1, anteriores a la versión v16.17.1 y anteriores a la versión v18.9.1 del módulo http en Node.js no analiza y valida correctamente las cabeceras Transfer-Encoding y puede dar lugar a HTTP Request Smuggling (HRS)
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling (HRS), causing web cache poisoning, and conducting XSS attacks.
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-06-01 CVE Reserved
- 2022-07-14 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (9)
URL | Tag | Source |
---|