📦

llhttp

Vendor: llhttp

Actively Exploited 0 CISA KEV List

PoC / Exploits 0 Code Available

Total RCEs 0 Remote Access

Total CVEs 6 Total Indexed

Avg. EPSS 36.03% Exploit Prob.

Latest CVE CVE-2022-35256 Dec 05

Security Vulnerability Index

Page 1 / 1

6.5 CVSS

CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

EPSS: 3.69%

Severity: MEDIUM

Dec 05, 2022

6.5 CVSS

CVE-2022-32215

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

EPSS: 86.47%

Severity: MEDIUM

Jul 14, 2022

6.5 CVSS

CVE-2022-32214

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

EPSS: 39.29%

Severity: MEDIUM

Jul 14, 2022

6.5 CVSS

CVE-2022-32213

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

EPSS: 86.32%

Severity: MEDIUM

Jul 14, 2022

6.5 CVSS

CVE-2021-22959

The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

EPSS: 0.16%

Severity: MEDIUM

Nov 15, 2021

6.5 CVSS

CVE-2021-22960

The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

EPSS: 0.23%

Severity: MEDIUM

Nov 03, 2021

Displaying 6 of 6 Total Entries

Total 1 Sections