VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-8c4g-fjsa-nkhw

Essentials
Severities (25)
References (28)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-8c4g-fjsa-nkhw
Aliases	CVE-2022-32214 GHSA-q5vx-44v4-gch4
Summary	llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. The LF character (without CR) is sufficient to delimit HTTP header fields in the lihttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This can lead to HTTP Request Smuggling (HRS).
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32214.json
epss	0.45841	https://api.first.org/data/v1/epss?cve=CVE-2022-32214
epss	0.45841	https://api.first.org/data/v1/epss?cve=CVE-2022-32214
epss	0.45841	https://api.first.org/data/v1/epss?cve=CVE-2022-32214
epss	0.45841	https://api.first.org/data/v1/epss?cve=CVE-2022-32214
epss	0.45841	https://api.first.org/data/v1/epss?cve=CVE-2022-32214
epss	0.45841	https://api.first.org/data/v1/epss?cve=CVE-2022-32214
epss	0.45841	https://api.first.org/data/v1/epss?cve=CVE-2022-32214
epss	0.45841	https://api.first.org/data/v1/epss?cve=CVE-2022-32214
cvssv3.1	9.1	https://datatracker.ietf.org/doc/html/rfc7230#section-3
generic_textual	CRITICAL	https://datatracker.ietf.org/doc/html/rfc7230#section-3
cvssv3.1	6.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-q5vx-44v4-gch4
cvssv3.1	9.1	https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
generic_textual	CRITICAL	https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
cvssv3.1	9.1	https://hackerone.com/reports/1524692
generic_textual	CRITICAL	https://hackerone.com/reports/1524692
cvssv3.1	9.1	https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
generic_textual	CRITICAL	https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
cvssv3.1	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-32214
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2022-32214
cvssv3.1	9.1	https://security.netapp.com/advisory/ntap-20220915-0001
generic_textual	CRITICAL	https://security.netapp.com/advisory/ntap-20220915-0001
cvssv3.1	9.1	https://www.debian.org/security/2023/dsa-5326
generic_textual	CRITICAL	https://www.debian.org/security/2023/dsa-5326

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32214.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-32214
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35255
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548
		https://datatracker.ietf.org/doc/html/rfc7230#section-3
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
		https://hackerone.com/reports/1524692
		https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
		https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
		https://nvd.nist.gov/vuln/detail/CVE-2022-32214
		https://security.netapp.com/advisory/ntap-20220915-0001
		https://security.netapp.com/advisory/ntap-20220915-0001/
		https://www.debian.org/security/2023/dsa-5326
2105428		https://bugzilla.redhat.com/show_bug.cgi?id=2105428
GHSA-q5vx-44v4-gch4		https://github.com/advisories/GHSA-q5vx-44v4-gch4
GLSA-202405-29		https://security.gentoo.org/glsa/202405-29
RHSA-2022:6389		https://access.redhat.com/errata/RHSA-2022:6389
RHSA-2022:6448		https://access.redhat.com/errata/RHSA-2022:6448
RHSA-2022:6449		https://access.redhat.com/errata/RHSA-2022:6449
RHSA-2022:6595		https://access.redhat.com/errata/RHSA-2022:6595
RHSA-2022:6985		https://access.redhat.com/errata/RHSA-2022:6985
USN-6491-1		https://usn.ubuntu.com/6491-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32214.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://datatracker.ietf.org/doc/html/rfc7230#section-3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://hackerone.com/reports/1524692

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nodejs.org/en/blog/vulnerability/july-2022-security-releases

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-32214

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://security.netapp.com/advisory/ntap-20220915-0001

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.debian.org/security/2023/dsa-5326

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.97608
EPSS Score	0.45841
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:07:21.420677+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-q5vx-44v4-gch4/GHSA-q5vx-44v4-gch4.json	38.0.0