CVE-2022-32213
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.5
Description
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Debian Security Tracker ยท View original โ ยท DFSG
CVE-2022-32213 NameCVE-2022-32213 DescriptionThe llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)โฆ
CVE-2022-32213
| Name | CVE-2022-32213 |
| Description | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5326-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| llhttp (PTS) | forky, sid | 9.4.1+~cs12.11.9-3 | fixed |
| nodejs (PTS) | bullseye | 12.22.12~dfsg-1~deb11u4 | fixed |
| bullseye (security) | 12.22.12~dfsg-1~deb11u8 | fixed | |
| bookworm | 18.20.4+dfsg-1~deb12u1 | fixed | |
| bookworm (security) | 18.20.4+dfsg-1~deb12u2 | fixed | |
| trixie (security), trixie | 20.19.2+dfsg-1+deb13u2 | fixed | |
| forky, sid | 24.15.0+dfsg+~cs24.12.2-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| llhttp | source | (unstable) | (not affected) | |||
| nodejs | source | buster | (not affected) | |||
| nodejs | source | bullseye | 12.22.12~dfsg-1~deb11u3 | DSA-5326-1 | ||
| nodejs | source | (unstable) | 18.6.0+dfsg-3 |
Notes
[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
- llhttp <not-affected> (Fixed before initial upload to Debian)
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-flawed-parsing-of-transfer-encoding-medium-cve-2022-32213
https://hackerone.com/reports/1630668
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x)
https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.x)
https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main)
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#cve-2022-32213-bypass-via-obs-fold-mechanic-medium-cve-2022-32213
Apply commands
Notes
[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)- llhttp <not-affected> (Fixed before initial upload to Debian)https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-flawed-parsing-of-transfer-encoding-medium-cve-2022-32213https://hackerone.com/reports/1630668https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x)https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.x)https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main)https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#cve-2022-32213-bypass-via-obs-fold-mechanic-medium-cve-2022-32213OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 18.6.0+dfsg-3 |
| sid | Fixed | 0 |
| forky | Fixed | 0 |
| bullseye | Fixed | 12.22.12~dfsg-1~deb11u3 |
| bookworm | Fixed | 18.6.0+dfsg-3 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | llhttp | <6.0.7 | 6.0.7 |
References
- https://access.redhat.com/errata/RHSA-2022:6595
- https://www.suse.com/security/cve/CVE-2022-32213.html
- https://errata.rockylinux.org/RLSA-2022:6449
- https://errata.rockylinux.org/RLSA-2022:6448
- https://nvd.nist.gov/vuln/detail/CVE-2022-32213
- https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
- https://hackerone.com/reports/1524555
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
- https://security.netapp.com/advisory/ntap-20220915-0001
- https://www.debian.org/security/2023/dsa-5326
- https://errata.rockylinux.org/RLSA-2022:6595
- https://security-tracker.debian.org/tracker/CVE-2022-32213
- https://access.redhat.com/errata/RHSA-2022:6448
- https://bugzilla.redhat.com/2102001
- https://bugzilla.redhat.com/2105422
- https://bugzilla.redhat.com/2105426
- https://bugzilla.redhat.com/2105428
- https://bugzilla.redhat.com/2105430
- https://errata.almalinux.org/8/ALSA-2022-6448.html
- https://bugzilla.redhat.com/1907444
- https://bugzilla.redhat.com/1945459
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.