#VU59234 Inconsistent interpretation of HTTP requests in llhttp


Published: 2022-01-05

Vulnerability identifier: #VU59234

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-22960

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
llhttp
Web applications / Modules and components for CMS

Vendor: Node.js Foundation

Description

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests, where the application ignores chunk extensions when parsing the body of chunked requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

llhttp: 6.0.0 - 6.0.5, 5.1.0, 5.0.0, 4.1.0 - 4.1.1, 4.0.0, 3.0.0 - 3.0.1, 2.2.0 - 2.2.1, 2.1.0 - 2.1.3, 2.0.0 - 2.0.5, 1.1.0 - 1.1.4, 1.0.1

Fixed software versions

CPE

External links
http://hackerone.com/reports/1238099

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar Pulse for QRadar SIEM
Red Hat Enterprise Linux 8 update for the nodejs:12 module
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions update for the nodejs:12 module
Red Hat Enterprise Linux 8.2 Extended Update Support update for the nodejs:12 module
Red Hat Enterprise Linux 8.4 Extended Update Support update for the nodejs:12 module
SUSE update for nodejs10
Multiple vulnerabilities in IBM Voice Gateway
Multiple vulnerabilities in IBM Security Verify Governance
Debian update for nodejs
Red Hat Software Collections update for rh-nodejs12-nodejs