CVE-2022-32213 The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2022-32213 after publication. Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability. Impacts: All versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2108490] Affects: fedora-all [bug 2108493] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108494] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108491] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108495] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108497] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108492] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108501] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108503]
Respective commits: v14: https://github.com/nodejs/node/commit/da0fda0fe8 v16: https://github.com/nodejs/node/commit/1da22eb482 v18: https://github.com/nodejs/node/commit/f2407748e3
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-32213