CVE-2022-32213 Overview
CVE-2022-32213 is an HTTP Request Smuggling vulnerability in the llhttp parser used by Node.js. The llhttp parser versions prior to v14.20.1, v16.17.1, and v18.9.1 in the http module fail to correctly parse and validate Transfer-Encoding headers, allowing attackers to smuggle malicious HTTP requests through web infrastructure.
Critical Impact
This vulnerability enables attackers to bypass security controls, poison web caches, and hijack user sessions by exploiting inconsistent HTTP request parsing between front-end and back-end servers.
Affected Products
- Node.js versions prior to v14.20.1, v16.17.1, and v18.9.1
- llhttp parser (all versions prior to patched releases)
- Siemens SINEC INS versions 1.0, 1.0 SP1, and 1.0 SP2
- Fedora 35, 36, and 37
- Debian Linux 11.0
- Stormshield Management Center
Discovery Timeline
- July 14, 2022 - CVE-2022-32213 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-32213
Vulnerability Analysis
This vulnerability stems from improper handling of Transfer-Encoding headers in the llhttp HTTP parser, which is the default HTTP parser for Node.js. When processing HTTP requests, the parser fails to strictly validate Transfer-Encoding header values, allowing malformed or ambiguous headers to be accepted and processed differently than intended.
HTTP Request Smuggling occurs when front-end and back-end servers interpret the boundaries of HTTP requests differently. In this case, an attacker can craft requests with specially formatted Transfer-Encoding headers that cause the llhttp parser to interpret request boundaries differently than a proxy or load balancer would, effectively "smuggling" a second request hidden within the first.
The impact includes the ability to bypass security controls, perform web cache poisoning, hijack authenticated sessions, and execute unauthorized actions on behalf of other users. Organizations using Node.js applications behind reverse proxies or CDNs are particularly at risk.
Root Cause
The root cause is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests), also known as HTTP Request/Response Smuggling. The llhttp parser does not properly reject or normalize malformed Transfer-Encoding header values, leading to parsing inconsistencies between different HTTP implementations in a request chain.
The vulnerability specifically involves the parser accepting Transfer-Encoding headers with improper formatting, spacing, or invalid values that should be rejected according to HTTP specifications. This lax parsing creates opportunities for request boundary confusion.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends specially crafted HTTP requests to a vulnerable Node.js application, typically positioned behind a reverse proxy, load balancer, or CDN. The attack exploits the difference in how the front-end server and the Node.js back-end interpret the request boundaries.
A typical attack scenario involves sending a request with ambiguous Transfer-Encoding and Content-Length headers that cause the front-end to see one request while the back-end llhttp parser interprets it as two separate requests. The "smuggled" second request can then be processed with the security context or session of subsequent legitimate requests from other users.
For detailed technical information about the vulnerability, see the HackerOne Report #1524555 and the Node.js July 2022 Security Blog.
Detection Methods for CVE-2022-32213
Indicators of Compromise
- Unusual or malformed Transfer-Encoding headers in HTTP request logs (e.g., Transfer-Encoding: chunked, chunked or headers with unusual whitespace)
- HTTP 400 errors or parsing failures from back-end servers that don't match front-end proxy logs
- Evidence of cache poisoning where cached responses don't match expected content
- Session hijacking indicators such as authenticated actions performed without valid user sessions
Detection Strategies
- Deploy web application firewalls (WAF) with rules to detect and block HTTP request smuggling attempts, specifically targeting malformed Transfer-Encoding headers
- Implement strict HTTP parsing validation at the network perimeter to reject requests with ambiguous or malformed headers
- Use SentinelOne Singularity Platform to monitor Node.js processes for anomalous behavior patterns associated with request smuggling exploitation
- Audit and compare HTTP logs between front-end proxies and back-end Node.js applications for request count discrepancies
Monitoring Recommendations
- Enable detailed HTTP access logging on all tiers (proxies, load balancers, application servers) to facilitate forensic analysis
- Configure alerts for requests containing multiple Transfer-Encoding headers or unusual header value patterns
- Monitor for sudden increases in HTTP 400-series errors that may indicate exploitation attempts or parsing inconsistencies
- Track session activity for anomalous patterns suggesting session hijacking through request smuggling
How to Mitigate CVE-2022-32213
Immediate Actions Required
- Upgrade Node.js to version 14.20.1, 16.17.1, 18.9.1, or later immediately
- Audit all production systems to identify Node.js installations and their versions
- Review network architecture to ensure robust request validation at the perimeter
- Implement temporary WAF rules to block suspicious Transfer-Encoding patterns until patches are applied
Patch Information
The Node.js project released security patches in July 2022 addressing this vulnerability. Organizations should upgrade to the following minimum versions:
- Node.js 14.x: Upgrade to 14.20.1 or later
- Node.js 16.x: Upgrade to 16.17.1 or later
- Node.js 18.x: Upgrade to 18.9.1 or later
For detailed patch information, consult the Node.js July 2022 Security Blog. Siemens users should refer to the Siemens Security Advisory SSA-332410 for SINEC INS-specific guidance.
Workarounds
- Configure reverse proxies or load balancers to normalize or reject requests with ambiguous Transfer-Encoding headers before they reach Node.js applications
- Deploy a WAF with HTTP request smuggling detection rules as an interim protective measure
- Ensure front-end proxies use the same HTTP parsing behavior as the back-end by configuring strict mode where available
- Consider implementing request validation middleware in Node.js applications to reject suspicious header patterns
# Check Node.js version and upgrade if vulnerable
node --version
# If version is below 14.20.1, 16.17.1, or 18.9.1, upgrade immediately
# Using nvm to upgrade Node.js
nvm install 18.9.1
nvm use 18.9.1
# Verify the upgrade
node --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
