CVE-2022-32213
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
9.1
CRITICAL
CVSS 3.1
EPSS 86.3%
Description
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
How to fix CVE-2022-32213
To remediate CVE-2022-32213, upgrade the affected package to a fixed version below.
- Alpine/nodejs—upgrade to 14.20.1-r0 or later
- —upgrade to 14.14.1 or later
- —upgrade to 14.14.1 or later
- —upgrade to 12.22.12~dfsg-1~deb11u3 or later
- —upgrade to 6.0.7 or later
Is CVE-2022-32213 being exploited?
Likely — EPSS is 86.3%, placing CVE-2022-32213 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (5)
- from 0, < 14.20.1-r0
- >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
- >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
- from 0, < 12.22.12~dfsg-1~deb11u3
- from 0, < 6.0.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |