CVE-2022-32215

Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

How to fix CVE-2022-32215

To remediate CVE-2022-32215, upgrade the affected package to a fixed version below.

• Alpine/nodejs—upgrade to 14.20.1-r0 or later
• Bitnami/node—upgrade to 14.14.1 or later
• —upgrade to 14.14.1 or later
• —upgrade to 12.22.12~dfsg-1~deb11u3 or later

Is CVE-2022-32215 being exploited?

Likely — EPSS is 86.5%, placing CVE-2022-32215 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (4)

• from 0, < 14.20.1-r0
• >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.5.0
• >= 14.0.0, < 14.14.1, >= 14.15.0, < 14.20.0, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.16.0, >= 18.0.0, < 18.5.0
• from 0, < 12.22.12~dfsg-1~deb11u3

CVSS scores

References (10)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-32215
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-32215
• WEBcert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
• WEBhackerone.com/reports/1501679