CVEInsight.

Free vulnerability intelligence for developers, security teams, and researchers. Data sourced from public databases for informational purposes only.

Explore

Legal

CVE data sourced from NVD / NIST & public disclosures.

Search Vulnerabilities

Software

Searching vulnerabilities affecting “llhttp”

6 vulnerabilities found for “llhttp”

CVE-2022-35256

MEDIUM6.5

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

nodejs / node.js+10

Network

Published Dec 5, 2022

CVE-2022-32215

MEDIUM6.5

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

llhttp / llhttp+15

Network

Published Jul 14, 2022

CVE-2022-32214

MEDIUM6.5

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

llhttp / llhttp+8

Network

Published Jul 14, 2022

CVE-2022-32213

MEDIUM6.5

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

llhttp / llhttp+14

Network

Published Jul 14, 2022

CVE-2021-22959

MEDIUM6.5

The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

llhttp / llhttp+4

Network

Published Nov 15, 2021

CVE-2021-22960

MEDIUM6.5

The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

llhttp / llhttp+4

Network

Published Nov 3, 2021