CVE-2022-32215

NameCVE-2022-32215
DescriptionThe llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs977716

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)buster, buster (security)10.24.0~dfsg-1~deb10u1vulnerable
bullseye12.22.5~dfsg-2~11u1vulnerable
bullseye (security)12.22.12~dfsg-1~deb11u1vulnerable
bookworm18.6.0+dfsg-5fixed
sid18.7.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
llhttpITP977716
nodejssource(unstable)18.6.0+dfsg-3

Notes

https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-incorrect-parsing-of-multi-line-transfer-encoding-medium-cve-2022-32215
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x)
https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a (main)

Search for package or bug name: Reporting problems