9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-32213

GHSA ID

GHSA-5689-v88g-g6rv

EPSS Score

0.99491%

CWE

CWE-444

Published

7/15/2022

Updated

7/10/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-32213

CVE-2022-32213: llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding

The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

Impacts:

All versions of the nodejs 18.x, 16.x, and 14.x releases lines.
llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-32213

GHSA ID

GHSA-5689-v88g-g6rv

EPSS Score

0.99491%

CWE

CWE-444

Published

7/15/2022

Updated

7/10/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
llhttp	npm	< 6.0.7	6.0.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper Transfer-Encoding header validation. The commit diff shows a critical change in src/http.c where the llhttp__after_headers_complete function was modified to include a check for LENIENT_TRANSFER_ENCODING. Prior to this fix, the parser would erroneously accept multiple Transfer-Encoding values (like 'chunked, gzip') without proper validation, violating RFC 7230 requirements. This flaw allowed attackers to craft requests that bypass security checks, leading to request smuggling. The function's pre-patch logic failed to enforce strict parsing when leniency wasn't explicitly enabled, making it the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ll*ttp p*rs*r in t** *ttp mo*ul* in No**.js v**.x *o*s not *orr**tly p*rs* *n* v*li**t* Tr*ns**r-*n*o*in* *****rs *n* **n l*** to *TTP R*qu*st Smu**lin* (*RS). Imp**ts: - *ll v*rsions o* t** no**js **.x, **.x, *n* **.x r*l**s*s lin*s. - ll*ttp

Reasoning

T** vuln*r**ility st*ms *rom improp*r Tr*ns**r-*n*o*in* *****r v*li**tion. T** *ommit *i** s*ows * *riti**l ***n** in sr*/*ttp.* w**r* t** ll*ttp__**t*r_*****rs_*ompl*t* *un*tion w*s mo*i*i** to in*lu** * ****k *or L*NI*NT_TR*NS**R_*N*O*IN*. Prior to

9.1

Basic Information

Concerned about an active attack path?

CVE-2022-32213: llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI