CVE-2022-32214
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
9.1
CRITICAL
CVSS 3.1
EPSS 39.3%
Description
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
How to fix CVE-2022-32214
To remediate CVE-2022-32214, upgrade the affected package to a fixed version below.
- Alpine/nodejs—upgrade to 14.20.1-r0 or later
- —upgrade to 14.14.1 or later
- —upgrade to 14.14.1 or later
- —upgrade to 12.22.12~dfsg-1~deb11u3 or later
- —upgrade to 6.0.7 or later
Is CVE-2022-32214 being exploited?
Moderate — EPSS is 39.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (5)
- from 0, < 14.20.1-r0
- >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.5.0
- >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.5.0
- from 0, < 12.22.12~dfsg-1~deb11u3
- from 0, < 6.0.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |