Описание
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling (HRS). This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers, causing web cache poisoning, and conducting XSS attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:18/nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2022:6448 | 13.09.2022 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2022:6449 | 13.09.2022 |
| Red Hat Enterprise Linux 8.4 Extended Update Support | nodejs | Fixed | RHSA-2022:6985 | 18.10.2022 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2022:6595 | 20.09.2022 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs14-nodejs | Fixed | RHSA-2022:6389 | 08.09.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...
The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
EPSS
6.5 Medium
CVSS3