First published: Tue Oct 12 2021(Updated: )
Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests. A remote attacker could send a specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-nodejs14-nodejs | <0:14.18.2-1.el7 | 0:14.18.2-1.el7 |
redhat/rh-nodejs14-nodejs-nodemon | <0:2.0.3-6.el7 | 0:2.0.3-6.el7 |
redhat/rh-nodejs12-nodejs | <0:12.22.12-2.el7 | 0:12.22.12-2.el7 |
Llhttp Llhttp | <2.1.4 | |
Llhttp Llhttp | >=3.0.0<6.0.6 | |
Oracle GraalVM | =20.3.4 | |
Oracle GraalVM | =21.3.0 | |
Debian Debian Linux | =11.0 | |
debian/nodejs | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u3 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 | |
redhat/llhttp | <6.0.6 | 6.0.6 |
redhat/llhttp | <2.1.4 | 2.1.4 |
redhat/node | <12.22.7 | 12.22.7 |
redhat/node | <14.18.1 | 14.18.1 |
redhat/node | <16.11.1 | 16.11.1 |
IBM Cognos Controller | <=11.0.0 - 11.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-22960 is an HTTP Request Smuggling (HRS) vulnerability in the llhttp library used by Node.JS.
CVE-2021-22960 affects versions of llhttp prior to 2.1.4 and 6.0.6, where the parse function ignores chunk extensions when parsing the body of chunked messages.
CVE-2021-22960 has a severity value of 6.1, which is considered medium.
CVE-2021-22960 affects the following software packages: rh-nodejs14-nodejs, rh-nodejs14-nodejs-nodemon, rh-nodejs12-nodejs, llhttp, node.
To fix CVE-2021-22960, upgrade to llhttp version 2.1.4 or 6.0.6, or update the affected software packages to the recommended versions.