What is CVE-2022-32214?

CVE-2022-32214 is a vulnerability in Nodejs Node, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). Published 2022-07-14.

Is CVE-2022-32214 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Nodejs Node

CVE-2022-32214

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

Vulnerability class: HTTP Request Smuggling

EPSS: 0.769 (99.5th percentile) — read the EPSS interpretation.

Affected products

Nodejs Node — versions 4.0, 5.0, 6.0

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

Public proof-of-concept exploits

References

nodejs.org/en/blog/vulnerability/july-2022-security-releases/
hackerone.com/reports/1524692
DSA-5326 (vendor-advisory)

Frequently asked questions

What is CVE-2022-32214?: CVE-2022-32214 is a vulnerability in Nodejs Node, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). Published 2022-07-14.
Is CVE-2022-32214 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.