CVE-2022-32214 The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2022-32214 after publication. Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability. Impacts: All versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2108496] Affects: fedora-all [bug 2108502] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108504] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108498] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108505] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108506] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108500] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108507] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108508]
Respective commits: v14: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd v16: https://github.com/nodejs/node/commit/1da22eb48254f8c2d5f3c5865bb9f46e8b09ec60 v18: https://github.com/nodejs/node/commit/f2407748e3be07642d318ceb17366f62f41ddc33 This CVE was fixed by updating bundled dependency to newer version.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-32214