Home

CVE-2021-22960

Description

The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.229

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 12 (x64) (12.22.7)Windows
Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 12 (12.22.7)Windows
Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 14 (x64) (14.18.1)Windows
Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 14 (14.18.1)Windows
Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 16 (x64) (16.11.1)Windows
Vulnerabilities CVE-2021-22959,CVE-2021-22960 are fixed in Node.js 16 (16.11.1)Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0.0.2Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 11.0.1Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 18.0.0.1Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 19.0.0.3Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0.3Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2Windows
(RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpmLinux
(RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-debugsource-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpmLinux
(RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-devel-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpmLinux
(RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-docs-16.13.1-3.module+el8.5.0+13548+45d748af.noarch.rpmLinux
(RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-full-i18n-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpmLinux
(RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.noarch.rpmLinux
(RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpmLinux
(RHSA-2021:5171) nodejs:16 security, bug fix, and enhancement update npm-8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af.x86_64.rpmLinux
Nodejs update (ELSA-2021-5171) nodejs-16.13.1-3.0.1.module+el8.5.0+20457+52828f44.x86_64.rpmLinux
Nodejs-devel update (ELSA-2021-5171) nodejs-devel-16.13.1-3.0.1.module+el8.5.0+20457+52828f44.x86_64.rpmLinux
Nodejs-docs update (ELSA-2021-5171) nodejs-docs-16.13.1-3.0.1.module+el8.5.0+20457+52828f44.noarch.rpmLinux
Nodejs-full-i18n update (ELSA-2021-5171) nodejs-full-i18n-16.13.1-3.0.1.module+el8.5.0+20457+52828f44.x86_64.rpmLinux
Nodejs-nodemon update (ELSA-2021-5171) nodejs-nodemon-2.0.15-1.module+el8.5.0+20457+52828f44.noarch.rpmLinux
Nodejs-packaging update (ELSA-2021-5171) nodejs-packaging-25-1.module+el8.5.0+20388+4b61e68d.noarch.rpmLinux
Npm update (ELSA-2021-5171) npm-8.1.2-1.16.13.1.3.0.1.module+el8.5.0+20457+52828f44.x86_64.rpmLinux
Nodejs update (ELSA-2022-0350) nodejs-14.18.2-2.module+el8.5.0+20489+261d51d3.x86_64.rpmLinux
Nodejs-devel update (ELSA-2022-0350) nodejs-devel-14.18.2-2.module+el8.5.0+20489+261d51d3.x86_64.rpmLinux
Nodejs-docs update (ELSA-2022-0350) nodejs-docs-14.18.2-2.module+el8.5.0+20489+261d51d3.noarch.rpmLinux
Nodejs-full-i18n update (ELSA-2022-0350) nodejs-full-i18n-14.18.2-2.module+el8.5.0+20489+261d51d3.x86_64.rpmLinux
Nodejs-nodemon update (ELSA-2022-0350) nodejs-nodemon-2.0.15-1.module+el8.5.0+20489+261d51d3.noarch.rpmLinux
Nodejs-packaging update (ELSA-2022-0350) nodejs-packaging-23-3.module+el8.3.0+7818+6cd30d85.noarch.rpmLinux
Npm update (ELSA-2022-0350) npm-6.14.15-1.14.18.2.2.module+el8.5.0+20489+261d51d3.x86_64.rpmLinux
(RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpmLinux
(RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-debugsource-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpmLinux
(RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-devel-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpmLinux
(RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-docs-14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch.rpmLinux
(RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-full-i18n-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpmLinux
(RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch.rpmLinux
(RHSA-2022:0350) nodejs:14 security, bug fix, and enhancement update npm-6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64.rpmLinux
nodejs security update(DSA-5170-1) nodejs_12.22.12~dfsg-1~deb11u1_amd64.debLinux
nodejs Security Update (ALAS2023-2023-084) v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-18.12.1-1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-docs-18.12.1-1.amzn2023.0.2.noarch.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-324371Node.js 12 (x64) (12.22.12)
PATCH-324370Node.js 12 (12.22.12)
PATCH-329083Node.js 14 (x64) (14.21.3)
PATCH-329082Node.js 14 (14.21.3)
PATCH-331257Node.js 16 (x64) (16.20.1)
PATCH-331256Node.js 16 (16.20.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234