CVE-2021-22959 Overview
CVE-2021-22959 is an HTTP Request Smuggling vulnerability affecting the llhttp parser, a critical component used for HTTP parsing in Node.js applications. The vulnerability exists because the parser incorrectly accepts HTTP requests that contain a space character immediately after the header name, before the colon delimiter. This non-compliant parsing behavior violates HTTP specifications and creates an opportunity for attackers to exploit differences between front-end and back-end server interpretations.
HTTP Request Smuggling attacks leverage inconsistencies in how multiple HTTP servers in a request chain parse and interpret requests. When an attacker crafts a malformed request that is parsed differently by a front-end proxy and a back-end server, they can effectively "smuggle" a second request within the first one.
Critical Impact
Attackers can exploit this vulnerability to bypass security controls, poison web caches, hijack user sessions, and gain unauthorized access to sensitive data by smuggling malicious HTTP requests through vulnerable llhttp parsers.
Affected Products
- llhttp versions prior to v2.1.4
- llhttp versions prior to v6.0.6
- Oracle GraalVM Enterprise Edition 20.3.4 and 21.3.0
- Debian Linux 11.0
Discovery Timeline
- 2021-11-15 - CVE-2021-22959 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22959
Vulnerability Analysis
The vulnerability resides in llhttp's HTTP header parsing logic. According to HTTP specifications (RFC 7230), header field names must be immediately followed by a colon with no intervening whitespace. The llhttp parser incorrectly tolerates a space character between the header name and the colon, creating a parsing inconsistency.
This parsing discrepancy becomes dangerous in environments where multiple HTTP processors handle the same request. A front-end server (such as a load balancer or reverse proxy) may parse the request one way, while the back-end server using llhttp parses it differently. This desynchronization allows attackers to inject secondary requests that bypass security controls.
The vulnerability is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests), which specifically addresses HTTP Request Smuggling scenarios. The network-based attack vector requires no authentication or user interaction, making it relatively straightforward to exploit in vulnerable deployments.
Root Cause
The root cause is improper input validation in the llhttp parser's header parsing state machine. The parser fails to reject header lines where a space character appears between the header field-name and the required colon delimiter. According to RFC 7230 Section 3.2, the proper format is field-name ":" OWS field-value OWS, with no whitespace permitted before the colon.
This permissive parsing behavior violates HTTP specifications and creates an inconsistency when llhttp operates behind or alongside other HTTP processors that strictly adhere to the specification.
Attack Vector
The attack exploits the network-accessible HTTP parsing layer. An attacker sends a specially crafted HTTP request containing a header with a space before the colon, such as Content-Length : 0. Different servers in the request chain interpret this header differently:
- A standards-compliant front-end proxy may ignore the malformed header
- The llhttp-based back-end server accepts and processes the header
- This desynchronization allows the attacker to control how message boundaries are interpreted
Successful exploitation can result in request routing manipulation, cache poisoning, session hijacking, and bypassing of Web Application Firewalls (WAFs) or other security controls. The vulnerability does not directly compromise confidentiality or integrity of the vulnerable system itself but enables attacks against other users and downstream systems.
Detection Methods for CVE-2021-22959
Indicators of Compromise
- HTTP access logs showing requests with unusual whitespace patterns in header names
- Web cache entries containing unexpected or poisoned content
- Anomalous session behavior or unauthorized access to user accounts
- IDS/IPS alerts for malformed HTTP headers or request smuggling attempts
Detection Strategies
- Deploy network-level monitoring to detect HTTP requests with spaces before header colons
- Implement WAF rules that strictly validate HTTP header syntax according to RFC 7230
- Enable detailed HTTP access logging and analyze for malformed request patterns
- Use application-layer packet inspection to identify request smuggling attempts
Monitoring Recommendations
- Monitor llhttp version in use across all Node.js applications and update inventory
- Review logs from reverse proxies and load balancers for parsing discrepancies
- Implement alerting for cache poisoning indicators such as unexpected cache key collisions
- Audit downstream systems for signs of unauthorized access or session anomalies
How to Mitigate CVE-2021-22959
Immediate Actions Required
- Upgrade llhttp to version 2.1.4 or later (for the 2.x branch) or version 6.0.6 or later (for the 6.x branch)
- Update Node.js to a version that includes the patched llhttp parser
- Review and update Oracle GraalVM installations if using affected versions
- Apply Debian security updates if running Debian Linux 11.0
Patch Information
The vulnerability has been addressed in llhttp versions 2.1.4 and 6.0.6. Vendor advisories with additional details are available:
- Oracle CPU January 2022 Alert - Contains patch information for Oracle GraalVM
- Debian Security Advisory DSA-5170 - Debian-specific patching guidance
- HackerOne Report #1238709 - Original vulnerability report with technical details
Workarounds
- Deploy a strictly RFC-compliant reverse proxy or WAF in front of llhttp-based applications to reject malformed headers
- Configure front-end servers to normalize or reject requests with whitespace anomalies in headers
- Implement request validation at the application layer to detect and block smuggling patterns
- Consider network segmentation to limit exposure of vulnerable services while patches are applied
# Verify llhttp version in Node.js installation
node -e "console.log(process.versions)"
# Update Node.js to latest patched version
# For npm-based projects, update dependencies
npm update
# Verify installed llhttp version
npm list llhttp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
