Description
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- none
- Scope
- unchanged
- Confidentiality
- low
- Integrity
- low
- Availability
- none
- Weaknesses
- CWE-444CWE-444
Metadata
- Primary Vendor
- NODEJS
- Published
- 12/5/2022
- Last Modified
- 4/24/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
nodejs : node.jsnodejs : node.jsnodejs : node.jsnodejs : node.jsnodejs : node.jsllhttp : llhttpsiemens : sinec_inssiemens : sinec_inssiemens : sinec_inssiemens : sinec_insdebian : debian_linux
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.