Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-b54b-pd2b-bygm
Vulnerability ID VCID-b54b-pd2b-bygm
Aliases CVE-2022-32213
GHSA-5689-v88g-g6rv
Summary llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Impacts: - All versions of the nodejs 18.x, 16.x, and 14.x releases lines. - llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32213.json
epss 0.88458 https://api.first.org/data/v1/epss?cve=CVE-2022-32213
epss 0.89626 https://api.first.org/data/v1/epss?cve=CVE-2022-32213
epss 0.89626 https://api.first.org/data/v1/epss?cve=CVE-2022-32213
epss 0.89626 https://api.first.org/data/v1/epss?cve=CVE-2022-32213
epss 0.89626 https://api.first.org/data/v1/epss?cve=CVE-2022-32213
epss 0.89626 https://api.first.org/data/v1/epss?cve=CVE-2022-32213
cvssv3.1 9.1 https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
generic_textual CRITICAL https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
cvssv3.1 6.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-5689-v88g-g6rv
cvssv3.1 9.1 https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
generic_textual CRITICAL https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
cvssv3.1 9.1 https://hackerone.com/reports/1524555
generic_textual CRITICAL https://hackerone.com/reports/1524555
cvssv3.1 9.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK
generic_textual CRITICAL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK
cvssv3.1 9.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3
generic_textual CRITICAL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3
cvssv3.1 9.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY
generic_textual CRITICAL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY
cvssv3.1 9.1 https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
generic_textual CRITICAL https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
cvssv3.1 9.1 https://nvd.nist.gov/vuln/detail/CVE-2022-32213
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2022-32213
cvssv3.1 9.1 https://security.netapp.com/advisory/ntap-20220915-0001
generic_textual CRITICAL https://security.netapp.com/advisory/ntap-20220915-0001
cvssv3.1 9.1 https://www.debian.org/security/2023/dsa-5326
generic_textual CRITICAL https://www.debian.org/security/2023/dsa-5326
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32213.json
https://api.first.org/data/v1/epss?cve=CVE-2022-32213
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35255
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
https://hackerone.com/reports/1524555
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2022-32213
https://security.netapp.com/advisory/ntap-20220915-0001
https://security.netapp.com/advisory/ntap-20220915-0001/
https://www.debian.org/security/2023/dsa-5326
2105430 https://bugzilla.redhat.com/show_bug.cgi?id=2105430
GHSA-5689-v88g-g6rv https://github.com/advisories/GHSA-5689-v88g-g6rv
GLSA-202405-29 https://security.gentoo.org/glsa/202405-29
RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389
RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448
RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449
RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595
RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985
USN-6491-1 https://usn.ubuntu.com/6491-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32213.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/nodejs/llhttp/commit/18a4afc7ffb4e49dc9e2daebc50588199a6d1dbb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://hackerone.com/reports/1524555
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-32213
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://security.netapp.com/advisory/ntap-20220915-0001
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.debian.org/security/2023/dsa-5326
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99504
EPSS Score 0.88458
Published At April 16, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:07:23.563167+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-5689-v88g-g6rv/GHSA-5689-v88g-g6rv.json 38.0.0