Back to search
CVE-2021-22960
Published: Nov 3, 2021
Modified: Apr 30, 2025
PUBLISHED
Description
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
| Vendor | Product | Versions |
|---|---|---|
NodeJS | Node | affected 4.0 - < 4.*affected 5.0 - < 5.*affected 6.0 - < 6.*affected 7.0 - < 7.*affected 8.0 - < 8.*+8 more versions |
Weaknesses (CWE)
References
https://hackerone.com/reports/1238099
x_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2022.html
x_refsource_MISC
DSA-5170
vendor-advisory
x_refsource_DEBIAN
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now