CVE-2022-32215

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-32215
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32215.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-32215
Aliases
Downstream
Related
Published
2022-07-14T15:15:08.387Z
Modified
2026-02-08T04:12:43.084079Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
c1da528bc25c9cc5a8240a7b4f136f5968f6e113
Fixed
50871b58d79c2493df7ed594d543df8a4162f4a4
Introduced
7162e686b18d22b4385fa5c04274fb04dbd810c7
Fixed
6b06e89c7dfccec6792008302af1cee57649445c
Introduced
73aa21658dfa6a22c06451d080152b32b1f98dbe
Fixed
c11b8215bd6388854efcc9302a7383c8c63b8127
Introduced
40ecd5601193c316e62e9216e8a4259130686208
Fixed
c98901f00d4b31a9a4b14d161177a7d9a64e36f7
Introduced
49a77a5a996a49e8cb728eed42e55a7c1a9eef6e
Fixed
df3ed1e89299e4c8f006fc20e22265a889c97919

Affected versions

v14.*
v14.15.0
v14.15.1
v14.15.2
v14.15.3
v14.15.4
v14.15.5
v14.16.0
v14.16.1
v14.17.0
v14.17.1
v14.17.2
v14.17.3
v14.17.4
v14.17.5
v14.17.6
v14.18.0
v14.18.1
v14.18.2
v14.18.3
v14.19.0
v14.19.1
v14.19.2
v14.19.3
v16.*
v16.0.0
v16.1.0
v16.10.0
v16.11.0
v16.11.1
v16.12.0
v16.13.0
v16.13.1
v16.13.2
v16.14.0
v16.14.1
v16.14.2
v16.15.0
v16.15.1
v16.16.0
v16.17.0
v16.2.0
v16.3.0
v16.4.0
v16.4.1
v16.4.2
v16.5.0
v16.6.0
v16.6.1
v16.6.2
v16.7.0
v16.8.0
v16.9.0
v16.9.1
v18.*
v18.0.0
v18.1.0
v18.2.0
v18.3.0
v18.4.0
v18.5.0
v18.6.0
v18.7.0
v18.8.0
v18.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32215.json"