6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0.004 Low
EPSS
Percentile
72.7%
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
CPE | Name | Operator | Version |
---|---|---|---|
node | eq | 18.8.0 | |
nodejs | eq | 8.11.3-r3 | |
nodejs | eq | 12.13.1-r0 | |
nodejs | eq | 12.18.3-r0 | |
nodejs | eq | 16.14.2-r1 | |
nodejs | eq | 14.17.5-r0 | |
nodejs | eq | 6.11.3-r0 | |
nodejs | eq | 6.9.1-r1 | |
nodejs | eq | 10.15.1-r0 | |
nodejs | eq | 12.19.0-r0 |
cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
hackerone.com/reports/1501679
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
nodejs.org/en/blog/vulnerability/july-2022-security-releases/
www.debian.org/security/2023/dsa-5326