Cyber Resilience

CVE-2022-32213

MediumPublic PoC

Published: 14 July 2022

Published
14 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.8632 99.4th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-32213 is a medium-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Nodejs Node.Js. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is an HTTP request smuggling flaw (CWE-444) in the llhttp parser used by the http module in Node.js. Affected versions are those using llhttp prior to v14.20.1, v16.17.1, and v18.9.1; the parser fails to correctly parse and validate Transfer-Encoding headers, allowing malformed requests to be misinterpreted by downstream systems.

An unauthenticated remote attacker can send crafted HTTP requests that exploit the parsing inconsistency. Successful exploitation permits request smuggling, which can be leveraged to bypass access controls, poison caches, or access resources that should be protected, resulting in limited impacts to confidentiality and integrity.

Vendor advisories and distribution updates, including those from Siemens and Fedora, direct users to upgrade Node.js to the corrected llhttp versions. The HackerOne report linked to the CVE further documents the header-handling flaw and the need for parser updates to restore correct Transfer-Encoding validation.

EU & UK References

Vulnerability details

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

llhttp
llhttp
≤ 2.1.5 · 6.0.0 — 6.0.7
nodejs
node.js
14.0.0 — 14.14.0 · 14.15.0 — 14.20.1 · 16.0.0 — 16.12.0
fedoraproject
fedora
35, 36, 37
siemens
sinec ins
1.0
debian
debian linux
11.0
stormshield
stormshield management center
≤ 3.3.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References