2105428 – (CVE-2022-32214) CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of header fields

Bug 2105428 (CVE-2022-32214) - CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of header fields

Summary: CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of h...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-32214
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2108496 2108498 2108500 2108066 2108067 2108068 2108069 2108070 2108502 2108504 2108505 2108506 2108507 2108508 2109531 2109582 2109583 2109584 2121023
Blocks:	2105423
TreeView+	depends on / blocked

Reported:	2022-07-08 18:46 UTC by Sage McTaggart
Modified:	2022-11-30 08:29 UTC (History)
CC List:	8 users (show)
Fixed In Version:	nodejs 14.20.0, nodejs 16.20.0, nodejs 18.5.0
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling (HRS). This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers, causing web cache poisoning, and conducting XSS attacks.
Clone Of:
Environment:
Last Closed:	2022-11-30 08:29:29 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:6389	None	None	None	2022-09-08 07:42:43 UTC
Red Hat Product Errata	RHSA-2022:6448	None	None	None	2022-09-13 09:44:23 UTC
Red Hat Product Errata	RHSA-2022:6449	None	None	None	2022-09-13 09:44:54 UTC
Red Hat Product Errata	RHSA-2022:6595	None	None	None	2022-09-20 12:24:34 UTC
Red Hat Product Errata	RHSA-2022:6985	None	None	None	2022-10-18 08:18:16 UTC

Description Sage McTaggart 2022-07-08 18:46:25 UTC

CVE-2022-32214

The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32214 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

All versions of the 18.x, 16.x, and 14.x releases lines.
llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

Comment 2 TEJ RATHI 2022-07-19 08:17:35 UTC

Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108496]
Affects: fedora-all [bug 2108502]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108504]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108498]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108505]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108506]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108500]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108507]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108508]

Comment 3 Zuzana Svetlikova 2022-07-20 10:33:12 UTC

Respective commits:

v14: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
v16: https://github.com/nodejs/node/commit/1da22eb48254f8c2d5f3c5865bb9f46e8b09ec60
v18: https://github.com/nodejs/node/commit/f2407748e3be07642d318ceb17366f62f41ddc33

This CVE was fixed by updating bundled dependency to newer version.

Comment 4 errata-xmlrpc 2022-09-08 07:42:40 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389

Comment 5 errata-xmlrpc 2022-09-13 09:44:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448

Comment 6 errata-xmlrpc 2022-09-13 09:44:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449

Comment 7 errata-xmlrpc 2022-09-20 12:24:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595

Comment 9 errata-xmlrpc 2022-10-18 08:18:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985

Comment 10 Product Security DevOps Team 2022-11-30 08:29:27 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32214

Note You need to log in before you can comment on or make changes to this bug.