CVE-2022-32215

Name: CVE-2022-32215
Creator: NVD / NIST
Published: 2022-07-14T15:15:08.387+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 68.80%

Last modified Jun 17, 2026

CVE-2022-32215 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).. EPSS estimates a 68.80% chance of exploitation in the next 30 days.

Description

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Probability

68.80%

99.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Llhttp	Llhttp	>= 14.0.0, < 14.20.1
Llhttp	Llhttp	>= 16.0.0, < 16.17.1
Llhttp	Llhttp	>= 18.0.0, < 18.9.1
Nodejs	Node.Js	>= 14.0.0, <= 14.14.0
Nodejs	Node.Js	>= 14.15.0, < 14.20.0
Nodejs	Node.Js	>= 16.0.0, <= 16.12.0
Nodejs	Node.Js	>= 16.13.0, < 16.16.0
Nodejs	Node.Js	>= 18.0.0, < 18.5.0
Fedoraproject	Fedora	35
Fedoraproject	Fedora	36
Fedoraproject	Fedora	37
Siemens	Sinec Ins	1.0
Debian	Debian Linux	11.0
Stormshield	Stormshield Management Center	< 3.3.2

References

https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfPatch, Third Party Advisory
https://hackerone.com/reports/1501679Exploit, Issue Tracking, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/Patch, Vendor Advisory
https://www.debian.org/security/2023/dsa-5326Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfPatch, Third Party Advisory
https://hackerone.com/reports/1501679Exploit, Issue Tracking, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/Patch, Vendor Advisory
https://www.debian.org/security/2023/dsa-5326Third Party Advisory

Timeline

Published: Jul 14, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-32215?

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

How severe is CVE-2022-32215?

CVE-2022-32215 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 68.80% probability of exploitation in the next 30 days.

How do I fix CVE-2022-32215?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-32215?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST