{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-32215", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "dateUpdated": "2025-04-30T22:24:42.485Z", "dateReserved": "2022-06-01T00:00:00.000Z", "datePublished": "2022-07-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-04-30T22:24:42.485Z"}, "descriptions": [{"lang": "en", "value": "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)."}], "affected": [{"product": "Node", "vendor": "NodeJS", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "4.0", "status": "affected", "lessThan": "4.*"}, {"versionType": "semver", "version": "5.0", "status": "affected", "lessThan": "5.*"}, {"versionType": "semver", "version": "6.0", "status": "affected", "lessThan": "6.*"}, {"versionType": "semver", "version": "7.0", "status": "affected", "lessThan": "7.*"}, {"versionType": "semver", "version": "8.0", "status": "affected", "lessThan": "8.*"}, {"versionType": "semver", "version": "9.0", "status": "affected", "lessThan": "9.*"}, {"versionType": "semver", "version": "10.0", "status": "affected", "lessThan": "10.*"}, {"versionType": "semver", "version": "11.0", "status": "affected", "lessThan": "11.*"}, {"versionType": "semver", "version": "12.0", "status": "affected", "lessThan": "12.*"}, {"versionType": "semver", "version": "13.0", "status": "affected", "lessThan": "13.*"}, {"versionType": "semver", "version": "14.0", "status": "affected", "lessThan": "14.20.1"}, {"versionType": "semver", "version": "15.0", "status": "affected", "lessThan": "15.*"}, {"versionType": "semver", "version": "16.0", "status": "affected", "lessThan": "16.17.1"}, {"versionType": "semver", "version": "17.0", "status": "affected", "lessThan": "17.*"}, {"versionType": "semver", "version": "18.0", "status": "affected", "lessThan": "18.9.1"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"}, {"url": "https://hackerone.com/reports/1501679"}, {"name": "FEDORA-2022-52dec6351a", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/"}, {"name": "FEDORA-2022-1667f7b60a", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/"}, {"name": "FEDORA-2022-de515f765f", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"}, {"name": "DSA-5326", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5326"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "HTTP Request Smuggling (CWE-444)", "cweId": "CWE-444"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:32:56.008Z"}, "title": "CVE Program Container", "references": [{"url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/1501679", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-52dec6351a", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/"}, {"name": "FEDORA-2022-1667f7b60a", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/"}, {"name": "FEDORA-2022-de515f765f", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", "tags": ["x_transferred"]}, {"name": "DSA-5326", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5326"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E47EBF6E-EAF4-4853-A7F1-49B0E2880E44", "versionEndExcluding": "14.20.1", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BF84A61F-30D6-4D93-BCBD-C856D671B68B", "versionEndExcluding": "16.17.1", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:*:*:*", "matchCriteriaId": "65CED312-C629-4515-A3F4-84E889159D4A", "versionEndExcluding": "18.9.1", "versionStartIncluding": "18.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "428DCD7B-6F66-4F18-B780-5BD80143D482", "versionEndIncluding": "14.14.0", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "3EB02718-B2A5-4822-B611-D62BB9EF44B0", "versionEndExcluding": "14.20.0", "versionStartIncluding": "14.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "1D1D0CEC-62E5-4368-B8F2-1DA5DD0B88FA", "versionEndIncluding": "16.12.0", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "D9D9B02E-C965-408B-999E-1F3DA09B62AA", "versionEndExcluding": "16.16.0", "versionStartIncluding": "16.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "D224E154-915A-4E2C-A0D7-D28D1C1472F7", "versionEndExcluding": "18.5.0", "versionStartIncluding": "18.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*", "matchCriteriaId": "4664B195-AF14-4834-82B3-0B2C98020EB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "75BC588E-CDF0-404E-AD61-02093A1DF343", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "A334F7B4-7283-4453-BAED-D2E01B7F8A6E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stormshield:stormshield_management_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "57CACB72-BAD7-41F6-9977-321DA7F79519", "versionEndExcluding": "3.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS)."}, {"lang": "es", "value": "El parser llhttp anteriores a la versi\u00f3n v14.20.1, anteriores a la versi\u00f3n v16.17.1 y anteriores a la versi\u00f3n v18.9.1 del m\u00f3dulo http en Node.js no maneja correctamente las cabeceras Transfer-Encoding de varias l\u00edneas. Esto puede llevar al contrabando de solicitudes HTTP (HRS)"}], "id": "CVE-2022-32215", "lastModified": "2024-11-21T07:05:56.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-14T15:15:08.387", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/1501679"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/"}, {"source": "support@hackerone.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5326"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/1501679"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5326"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges Zeyu Zhang as the original reporter.", "affected_release": [{"advisory": "RHSA-2022:6448", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:14-8060020220804102127.ad008a3a", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-09-13T00:00:00Z"}, {"advisory": "RHSA-2022:6449", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:16-8060020220805104227.ad008a3a", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-09-13T00:00:00Z"}, {"advisory": "RHSA-2022:6985", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "nodejs:14-8040020220804130254.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-10-18T00:00:00Z"}, {"advisory": "RHSA-2022:6595", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs-1:16.16.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-09-20T00:00:00Z"}, {"advisory": "RHSA-2022:6389", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs14-nodejs-0:14.20.0-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2022-09-08T00:00:00Z"}], "bugzilla": {"description": "nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding", "id": "2105426", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105426"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).", "A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling (HRS). This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers, causing web cache poisoning, and conducting XSS attacks."], "name": "CVE-2022-32215", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2022-07-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-32215\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-32215\nhttps://nodejs.org/en/blog/vulnerability/july-2022-security-releases/"], "threat_severity": "Moderate"}

{}