llhttp is vulnerable to HTTP request smuggling. The vulnerability exists because the http.js
does not properly handle the CRLF sequence, allowing an attacker to smuggle HTTP requests by submitting LF characters without CR.
github.com/nodejs/llhttp/commit/4b9b57d9a62ae6bc6f31a8a485ca58a9f090493f
github.com/nodejs/llhttp/commit/cc6b967e7fe849d3916b905fd0d41225b3e0c929
github.com/nodejs/llhttp/pull/161
github.com/nodejs/llhttp/pull/162
hackerone.com/reports/1524692
nodejs.org/en/blog/vulnerability/july-2022-security-releases/
security.netapp.com/advisory/ntap-20220915-0001/
www.debian.org/security/2023/dsa-5326