CVE-2022-32214

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-32214
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32214.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-32214
Aliases
Downstream
Related
Published
2022-07-14T15:15:08.337Z
Modified
2026-03-14T11:47:58.729675Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

References

Affected packages

Git / github.com/nodejs/llhttp

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/llhttp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f014c23bffb327f3749c6222e96247aec73a1caf
Introduced
3ec2251f809073fe8abdb50da6e7acb9d96a2ad9
Fixed
315a1c1b7695c2d1c4e80b359a3e30bc7b3f3f22
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.5"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.0.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
73aa21658dfa6a22c06451d080152b32b1f98dbe
Last affected
354b6a93bd1d66f1833489d6fe01a2b0e8f6aff9
Introduced
c1da528bc25c9cc5a8240a7b4f136f5968f6e113
Fixed
50871b58d79c2493df7ed594d543df8a4162f4a4
Introduced
7162e686b18d22b4385fa5c04274fb04dbd810c7
Last affected
49415500bb1bf51a1fade5ea2d03f3988ecabc25
Introduced
40ecd5601193c316e62e9216e8a4259130686208
Fixed
c98901f00d4b31a9a4b14d161177a7d9a64e36f7
Introduced
49a77a5a996a49e8cb728eed42e55a7c1a9eef6e
Fixed
0a18e136b4a1e860bb2befcbd1f78661ed5fb5e7
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
cea049bcf8bb0f9a6e0095dbd5dffdb14dc8f71b
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1a6e52db307f0da605a6f15426727834cfc522d8
Database specific 
{
    "versions": [
        {
            "introduced": "14.0.0"
        },
        {
            "last_affected": "14.14.0"
        },
        {
            "introduced": "14.15.0"
        },
        {
            "fixed": "14.20.0"
        },
        {
            "introduced": "16.0.0"
        },
        {
            "last_affected": "16.12.0"
        },
        {
            "introduced": "16.13.0"
        },
        {
            "fixed": "16.16.0"
        },
        {
            "introduced": "18.0.0"
        },
        {
            "fixed": "18.5.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "11.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.0"
        }
    ]
}

Affected versions

v14.*
v14.0.0
v14.1.0
v14.10.0
v14.10.1
v14.11.0
v14.12.0
v14.13.0
v14.13.1
v14.14.0
v14.15.0
v14.15.1
v14.15.2
v14.15.3
v14.15.4
v14.15.5
v14.16.0
v14.16.1
v14.17.0
v14.17.1
v14.17.2
v14.17.3
v14.17.4
v14.17.5
v14.17.6
v14.18.0
v14.18.1
v14.18.2
v14.18.3
v14.19.0
v14.19.1
v14.19.2
v14.19.3
v14.2.0
v14.3.0
v14.4.0
v14.5.0
v14.6.0
v14.7.0
v14.8.0
v14.9.0
v16.*
v16.0.0
v16.1.0
v16.10.0
v16.11.0
v16.11.1
v16.12.0
v16.13.0
v16.13.1
v16.13.2
v16.14.0
v16.14.1
v16.14.2
v16.15.0
v16.15.1
v16.2.0
v16.3.0
v16.4.0
v16.4.1
v16.4.2
v16.5.0
v16.6.0
v16.6.1
v16.6.2
v16.7.0
v16.8.0
v16.9.0
v16.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32214.json"