Bugzilla – Bug 1201325
VUL-0: CVE-2022-32213: nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding
Last modified: 2023-02-01 12:06:00 UTC
CVE-2022-32213 The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2022-32213 after publication. Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability. Impacts: All versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
The upstream commit does not mention this CVE but CVE-2022-32212, but I think it's a typo. main: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a 16.x: https://github.com/nodejs/node/commit/1da22eb48254f8c2d5f3c5865bb9f46e8b09ec60 14.x: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd Library patch: main: https://github.com/nodejs/llhttp/commit/4b9b57d9a62ae6bc6f31a8a485ca58a9f090493f 2.1.x: https://github.com/nodejs/llhttp/commit/cc6b967e7fe849d3916b905fd0d41225b3e0c929 (used by nodejs12 and nodejs14) Hard to tell if nodejs10 and older are affected since they do not use llhttp, but http_parser, which is unmaintained.
SUSE-SU-2022:2415-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1192489,1201325,1201326,1201327,1201328 CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs16-16.16.0-8.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2416-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1201325,1201326,1201327,1201328 CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs14-14.20.0-6.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2417-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1201099,1201325,1201326,1201327,1201328 CVE References: CVE-2022-2097,CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs12-12.22.12-1.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2425-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1201325,1201326,1201327,1201328 CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs14-14.20.0-150200.15.34.1 openSUSE Leap 15.3 (src): nodejs14-14.20.0-150200.15.34.1 SUSE Manager Server 4.1 (src): nodejs14-14.20.0-150200.15.34.1 SUSE Manager Retail Branch Server 4.1 (src): nodejs14-14.20.0-150200.15.34.1 SUSE Manager Proxy 4.1 (src): nodejs14-14.20.0-150200.15.34.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): nodejs14-14.20.0-150200.15.34.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): nodejs14-14.20.0-150200.15.34.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): nodejs14-14.20.0-150200.15.34.1 SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs14-14.20.0-150200.15.34.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): nodejs14-14.20.0-150200.15.34.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): nodejs14-14.20.0-150200.15.34.1 SUSE Enterprise Storage 7 (src): nodejs14-14.20.0-150200.15.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2430-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1201325,1201326,1201327,1201328 CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs12-12.22.12-150200.4.35.1 openSUSE Leap 15.3 (src): nodejs12-12.22.12-150200.4.35.1 SUSE Manager Server 4.1 (src): nodejs12-12.22.12-150200.4.35.1 SUSE Manager Retail Branch Server 4.1 (src): nodejs12-12.22.12-150200.4.35.1 SUSE Manager Proxy 4.1 (src): nodejs12-12.22.12-150200.4.35.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): nodejs12-12.22.12-150200.4.35.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): nodejs12-12.22.12-150200.4.35.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): nodejs12-12.22.12-150200.4.35.1 SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs12-12.22.12-150200.4.35.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): nodejs12-12.22.12-150200.4.35.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): nodejs12-12.22.12-150200.4.35.1 SUSE Enterprise Storage 7 (src): nodejs12-12.22.12-150200.4.35.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2491-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1201325,1201326,1201327,1201328 CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs16-16.16.0-150400.3.3.2 SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src): nodejs16-16.16.0-150400.3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2551-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1192489,1201325,1201326,1201327,1201328 CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs16-16.16.0-150300.7.6.2 SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs16-16.16.0-150300.7.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2855-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1188917,1189368,1191601,1191602,1201325,1201326,1201327,1201328 CVE References: CVE-2021-22930,CVE-2021-22940,CVE-2021-22959,CVE-2021-22960,CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs10-10.24.1-150000.1.47.1 openSUSE Leap 15.3 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Manager Server 4.1 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Manager Retail Branch Server 4.1 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Manager Proxy 4.1 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server for SAP 15 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Enterprise Storage 7 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Enterprise Storage 6 (src): nodejs10-10.24.1-150000.1.47.1 SUSE CaaS Platform 4.0 (src): nodejs10-10.24.1-150000.1.47.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing
Re-opening as the fix was incomplete. llhttp needs update to 2.1.6 https://github.com/nodejs/node/commit/a9f1146b88
This incomplete fix also affects newer nodejs versions. See, https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/
This is an autogenerated message for OBS integration: This bug (1201325) was mentioned in https://build.opensuse.org/request/show/1006689 Factory / nodejs18 https://build.opensuse.org/request/show/1006690 Factory / nodejs16
This is an autogenerated message for OBS integration: This bug (1201325) was mentioned in https://build.opensuse.org/request/show/1006992 Factory / nodejs18
SUSE-SU-2022:3503-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1201325,1203832 CVE References: CVE-2022-32213,CVE-2022-35256 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs12-12.22.12-1.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3516-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1201325,1203832 CVE References: CVE-2022-32213,CVE-2022-35256 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs14-14.20.1-6.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3524-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1201325,1201327,1203831,1203832 CVE References: CVE-2022-32213,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs16-16.17.1-8.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3614-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1201325,1203832 CVE References: CVE-2022-32213,CVE-2022-35256 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs14-14.20.1-150200.15.37.1 openSUSE Leap 15.3 (src): nodejs14-14.20.1-150200.15.37.1 SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs14-14.20.1-150200.15.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3615-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1201325,1201327,1203831,1203832 CVE References: CVE-2022-32213,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs16-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs16-16.17.1-150300.7.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3616-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1201325,1203832 CVE References: CVE-2022-32213,CVE-2022-35256 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs12-12.22.12-150200.4.38.1 openSUSE Leap 15.3 (src): nodejs12-12.22.12-150200.4.38.1 SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs12-12.22.12-150200.4.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3656-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1201325,1201327,1203831,1203832 CVE References: CVE-2022-32213,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs16-16.17.1-150400.3.9.1 SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src): nodejs16-16.17.1-150400.3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3835-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1201325,1203832 CVE References: CVE-2022-32213,CVE-2022-35256 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs10-10.24.1-150000.1.50.1 openSUSE Leap 15.3 (src): nodejs10-10.24.1-150000.1.50.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.