CVE-2021-22959

The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
References
Link Resource
https://hackerone.com/reports/1238709 Exploit Issue Tracking Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.debian.org/security/2022/dsa-5170 Mailing List Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*
cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:node.js:*:*

Configuration 2 (hide)

OR cpe:2.3:a:oracle:graalvm:21.3.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.4:*:*:*:enterprise:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Information

Published : 2021-11-15 07:15

Updated : 2022-12-09 08:14


NVD link : CVE-2021-22959

Mitre link : CVE-2021-22959


JSON object : View

CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Advertisement

dedicated server usa

Products Affected

debian

  • debian_linux

oracle

  • graalvm

llhttp

  • llhttp