CVE-2022-32213
- Source
- https://cve.org/CVERecord?id=CVE-2022-32213
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32213.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-32213
- Aliases
- Downstream
- Related
- Published
- 2022-07-14T15:15:08.287Z
- Modified
- 2026-04-16T04:37:47.043426377Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
- https://www.debian.org/security/2023/dsa-5326
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://hackerone.com/reports/1524555
Affected packages
Git / github.com/nodejs/llhttp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nodejs/llhttp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "2.1.5" }, { "introduced": "6.0.0" }, { "fixed": "6.0.7" }, { "introduced": "0" }, { "last_affected": "1.0-NA" }, { "introduced": "0" }, { "last_affected": "1.0-sp1" } ] }
- Type
- GIT
- Repo
- https://github.com/nodejs/node
- Events
-
IntroducedLast affectedIntroducedFixedIntroducedLast affectedIntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "14.0.0" }, { "last_affected": "14.14.0" }, { "introduced": "14.15.0" }, { "fixed": "14.20.1" }, { "introduced": "16.0.0" }, { "last_affected": "16.12.0" }, { "introduced": "16.13.0" }, { "fixed": "16.17.1" }, { "introduced": "18.0.0" }, { "fixed": "18.9.1" }, { "introduced": "0" }, { "last_affected": "1.0-sp2" }, { "introduced": "0" }, { "last_affected": "11.0" } ] }
Affected versions
release/v1.*
release/v1.1.0
release/v1.1.1
release/v1.1.2
release/v1.1.3
release/v1.1.4
release/v2.*
release/v2.0.0
release/v2.0.1
release/v2.0.2
release/v2.0.3
release/v2.0.4
release/v2.0.5
release/v2.1.0
release/v2.1.1
release/v2.1.3
release/v2.2.0
release/v2.2.1
release/v3.*
release/v3.0.0
release/v3.0.1
release/v4.*
release/v4.0.0
release/v4.1.0
release/v4.1.1
release/v5.*
release/v5.0.0
release/v5.1.0
release/v6.*
release/v6.0.0
release/v6.0.1
release/v6.0.2
release/v6.0.3
release/v6.0.4
release/v6.0.5
release/v6.0.6
release/v6.0.7
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.6
v0.1.0
v0.1.1
v0.1.10
v0.1.100
v0.1.101
v0.1.102
v0.1.103
v0.1.104
v0.1.11
v0.1.12
v0.1.13
v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.19
v0.1.2
v0.1.20
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.25
v0.1.26
v0.1.27
v0.1.28
v0.1.29
v0.1.3
v0.1.30
v0.1.31
v0.1.32
v0.1.33
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.1.92
v0.1.93
v0.1.94
v0.1.95
v0.1.96
v0.1.97
v0.1.98
v0.1.99
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.4.0
v0.5.0
v0.5.1
v0.5.10
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.5-rc1
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.7.0
v0.7.2
v0.7.3
v1.*
v1.0.1
v1.0.1-release
v1.0.2
v1.0.2-release
v1.0.3
v1.0.4
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.2.0
v1.3.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.7.1
v11.*
v11.0.0
v14.*
v14.0.0
v14.1.0
v14.10.0
v14.10.1
v14.11.0
v14.12.0
v14.13.0
v14.13.1
v14.14.0
v14.15.0
v14.15.1
v14.15.2
v14.15.3
v14.15.4
v14.15.5
v14.16.0
v14.16.1
v14.17.0
v14.17.1
v14.17.2
v14.17.3
v14.17.4
v14.17.5
v14.17.6
v14.18.0
v14.18.1
v14.18.2
v14.18.3
v14.19.0
v14.19.1
v14.19.2
v14.19.3
v14.2.0
v14.20.0
v14.3.0
v14.4.0
v14.5.0
v14.6.0
v14.7.0
v14.8.0
v14.9.0
v16.*
v16.0.0
v16.1.0
v16.10.0
v16.11.0
v16.11.1
v16.12.0
v16.13.0
v16.13.1
v16.13.2
v16.14.0
v16.14.1
v16.14.2
v16.15.0
v16.15.1
v16.16.0
v16.17.0
v16.2.0
v16.3.0
v16.4.0
v16.4.1
v16.4.2
v16.5.0
v16.6.0
v16.6.1
v16.6.2
v16.7.0
v16.8.0
v16.9.0
v16.9.1
v18.*
v18.0.0
v18.1.0
v18.2.0
v18.3.0
v18.4.0
v18.5.0
v18.6.0
v18.7.0
v18.8.0
v18.9.0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.1.1
v2.1.3
v2.1.4
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.5.0
v3.*
v3.0.0
v6.*
v6.0.7
v6.0.7a
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32213.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "35"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "36"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "37"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.2"
}
]
}
]