QID 355273

an http request smuggling (hrs) vulnerability was found in the llhttp library, used by node.
Js.
Spaces as part of the header names were accepted as valid.
In situations where http conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy.
The highest threat from this vulnerability is to confidentiality and integrity. (
( CVE-2021-22959) an http request smuggling (hrs) vulnerability was found in the llhttp library, used by node.
During the parsing of chunked messages, the chunk size parameter was not validated properly.
( CVE-2021-22960) a flaw was found in npm.
The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json.
This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. (
( CVE-2021-43616) a flaw was found in node.js where it accepted a certificates subject alternative names (san) entry, as opposed to what is specified by the https protocol.
This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host. (
( CVE-2021-44531) it was found that node.js did not safely read the x509 certificate generalname format properly, resulting in data injection.
A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.