CVE-2022-32214: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

July 14, 2022 (updated July 19, 2023)

The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

References

hackerone.com/reports/1524692
nodejs.org/en/blog/vulnerability/july-2022-security-releases/
nvd.nist.gov/vuln/detail/CVE-2022-32214

Code Behaviors & Features

Detect and mitigate CVE-2022-32214 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →