CVE-2022-35256
- EPSS 4.58%
- Published 05.12.2022 22:15:10
- Last modified 24.04.2025 14:15:32
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
CVE-2022-32213
- EPSS 89.07%
- Published 14.07.2022 15:15:08
- Last modified 21.11.2024 07:05:56
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
CVE-2022-32214
- EPSS 62%
- Published 14.07.2022 15:15:08
- Last modified 21.11.2024 07:05:56
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-32215
- EPSS 88.11%
- Published 14.07.2022 15:15:08
- Last modified 21.11.2024 07:05:56
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
CVE-2021-22959
- EPSS 0.21%
- Published 15.11.2021 15:15:06
- Last modified 21.11.2024 05:51:01
The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
CVE-2021-22960
- EPSS 0.18%
- Published 03.11.2021 20:15:08
- Last modified 21.11.2024 05:51:01
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.