Описание
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling (HRS), causing web cache poisoning, and conducting XSS attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:18/nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2022:6448 | 13.09.2022 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2022:6449 | 13.09.2022 |
| Red Hat Enterprise Linux 8.4 Extended Update Support | nodejs | Fixed | RHSA-2022:6985 | 18.10.2022 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2022:6595 | 20.09.2022 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs14-nodejs | Fixed | RHSA-2022:6389 | 08.09.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
EPSS
6.5 Medium
CVSS3