CVE-2022-32214

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1a6e52db307f0da605a6f15426727834cfc522d8

Introduced

40ecd5601193c316e62e9216e8a4259130686208

Fixed

c98901f00d4b31a9a4b14d161177a7d9a64e36f7

Introduced

49a77a5a996a49e8cb728eed42e55a7c1a9eef6e

Fixed

0a18e136b4a1e860bb2befcbd1f78661ed5fb5e7

Introduced

c1da528bc25c9cc5a8240a7b4f136f5968f6e113

Fixed

50871b58d79c2493df7ed594d543df8a4162f4a4

Affected versions

v14.*

v14.15.0

v14.15.1

v14.15.2

v14.15.3

v14.15.4

v14.15.5

v14.16.0

v14.16.1

v14.17.0

v14.17.1

v14.17.2

v14.17.3

v14.17.4

v14.17.5

v14.17.6

v14.18.0

v14.18.1

v14.18.2

v14.18.3

v14.19.0

v14.19.1

v14.19.2

v14.19.3

v16.*

v16.13.0

v16.13.1

v16.13.2

v16.14.0

v16.14.1

v16.14.2

v16.15.0

v16.15.1

v18.*

v18.0.0

v18.1.0

v18.2.0

v18.3.0

v18.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32214.json"

Git / github.com/wordpress/wordpress-develop

Affected ranges

Type: GIT
Repo: https://github.com/wordpress/wordpress-develop
Events: Introduced

1c0a2efa5eac05dfd3b7d2b9cfe68e02da55b966

Fixed

51e1504558785e87360fe93a9178608551960ea1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32214.json"