CVE-2021-22959

Summary

CVE	CVE-2021-22959
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-11-15 15:15:00 UTC
Updated	2022-12-09 16:14:00 UTC
Description	The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

Risk And Classification

Problem Types: CWE-444

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	11.0	All	All	All
Application	Llhttp	Llhttp	All	All	All	All
Application	Oracle	Graalvm	20.3.4	All	All	All
Application	Oracle	Graalvm	21.3.0	All	All	All

References

Reference	Source	Link	Tags
HackerOne	MISC	hackerone.com
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Debian -- Security Information -- DSA-5170-1 nodejs	DEBIAN	www.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159554 Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2021-5171)
159622 Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2022-0350)
179565 Debian Security Update for nodejs (DSA 5170-1)
184251 Debian Security Update for nodejs (CVE-2021-22959)
239970 Red Hat Update for nodejs:16 security (RHSA-2021:5171)
239986 Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2022:0041)
240037 Red Hat Update for nodejs:14 security (RHSA-2022:0246)
240051 Red Hat Update for nodejs:14 security (RHSA-2022:0350)
240414 Red Hat Update for rh-nodejs12-nodejs security (RHSA-2022:4914)
282007 Fedora Security Update for nodejs (FEDORA-2021-9807b754d9)
282008 Fedora Security Update for nodejs (FEDORA-2021-cbad295a90)
296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
354342 Amazon Linux Security Advisory for nodejs : ALAS2022-2022-214
354475 Amazon Linux Security Advisory for nodejs : ALAS2022-2022-013
354537 Amazon Linux Security Advisory for nodejs : ALAS-2022-214
355273 Amazon Linux Security Advisory for nodejs : ALAS2023-2023-084
376028 Node.js Hypertext Transfer Protocol (HTTP) Request Smuggling When Parsing The Body Vulnerability (OCT 2021)
376431 Azul Java Multiple Vulnerabilities Security Update January 2022
377422 Alibaba Cloud Linux Security Update for nodejs:14 (ALINUX3-SA-2022:0014)
500441 Alpine Linux Security Update for nodejs
501455 Alpine Linux Security Update for nodejs
501884 Alpine Linux Security Update for nodejs-current
502122 Alpine Linux Security Update for nodejs-current
504209 Alpine Linux Security Update for nodejs
690193 Free Berkeley Software Distribution (FreeBSD) Security Update for node.js (a9c5e89d-2d15-11ec-8363-0022489ad614)
751457 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:3940-1)
751475 OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:3964-1)
751509 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:1574-1)
751518 OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:1552-1)
752490 SUSE Enterprise Linux Security Update for nodejs10 (SUSE-SU-2022:2855-1)
940355 AlmaLinux Security Update for nodejs:16 (ALSA-2021:5171)
940448 AlmaLinux Security Update for nodejs:14 (ALSA-2022:0350)
960322 Rocky Linux Security Update for nodejs:16 (RLSA-2021:5171)
960863 Rocky Linux Security Update for nodejs:14 (RLSA-2022:0350)