Fluid Attacks Database

Description

llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

Impacts:

All versions of the nodejs 18.x, 16.x, and 14.x releases lines.

llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	nodejs	>=0 <18.6.0+dfsg-3	18.6.0+dfsg-3
alpine v3.13	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.18.1-r0 \|\| =14.19.0-r0 \|\| =14.20.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <14.20.1-r0	14.20.1-r0
alpine v3.14	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.18.1-r0 \|\| =14.19.0-r0 \|\| =14.20.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <14.20.1-r0	14.20.1-r0
alpine v3.16	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <16.17.1-r0	16.17.1-r0
alpine v3.22	nodejs	>=0 <16.17.1-r0	16.17.1-r0
alpine v3.21	nodejs	>=0 <16.17.1-r0	16.17.1-r0
npm	llhttp	>=0 <6.0.7	6.0.7
alpine v3.15	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.2-r0 \|\| =16.14.0-r0 \|\| =16.14.2-r0 \|\| =16.16.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <16.17.1-r0	16.17.1-r0
alpine v3.17	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <16.17.1-r0	16.17.1-r0
alpine v3.18	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <16.17.1-r0	16.17.1-r0

1-10 of 19

Aliases

1. CVE-2022-322132. NVD-2022-322133. OSV-DEBIAN-2022-322134. OSV-2022-322135. OSV-ALPINE-2022-322136. GCVE-2022-322137. SECURITY-TRACKER-CVE-2022-322138. SECURITY-CVE-2022-32213

References

1. https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb2. https://hackerone.com/reports/15245553. https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf4. https://lists.fedoraproject.org/archives/list/[email protected]/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK5. https://lists.fedoraproject.org/archives/list/[email protected]/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH36. https://lists.fedoraproject.org/archives/list/[email protected]/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY7. https://nodejs.org/en/blog/vulnerability/july-2022-security-releases8. https://security.netapp.com/advisory/ntap-20220915-00019. https://www.debian.org/security/2023/dsa-5326