CVE-2022-32215 Overview
CVE-2022-32215 is an HTTP Request Smuggling (HRS) vulnerability affecting the llhttp parser in the Node.js http module. The parser fails to correctly handle multi-line Transfer-Encoding headers, allowing attackers to manipulate HTTP request boundaries. This vulnerability enables attackers to bypass security controls, poison web caches, and potentially hijack user sessions by exploiting discrepancies in how front-end and back-end servers interpret malformed HTTP requests.
Critical Impact
This HTTP Request Smuggling vulnerability allows attackers to bypass security controls, poison caches, and potentially hijack sessions by exploiting improper parsing of multi-line Transfer-Encoding headers in Node.js applications.
Affected Products
- llhttp parser versions prior to v14.20.1, v16.17.1, and v18.9.1
- Node.js (multiple versions across LTS and current release lines)
- Fedora 35, 36, and 37
- Siemens SINEC INS 1.0 (including SP1 and SP2)
- Debian Linux 11.0
- Stormshield Management Center
Discovery Timeline
- 2022-07-14 - CVE-2022-32215 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-32215
Vulnerability Analysis
HTTP Request Smuggling occurs when front-end and back-end servers interpret HTTP request boundaries differently. In this case, the llhttp parser in Node.js does not correctly process multi-line Transfer-Encoding headers, creating an opportunity for attackers to craft malicious requests that are interpreted inconsistently by different HTTP processors in the request chain.
The vulnerability resides in the http module's request parsing logic. When a Transfer-Encoding header spans multiple lines (using HTTP header folding), the llhttp parser may misinterpret the header value, leading to disagreements about where one request ends and another begins. This desynchronization enables various attack scenarios including cache poisoning, request hijacking, and security control bypass.
Root Cause
The root cause lies in the llhttp parser's improper handling of obsolete HTTP header folding (continuation lines) specifically within Transfer-Encoding headers. According to RFC 7230, header field values can span multiple lines when subsequent lines begin with whitespace. However, the parser's implementation failed to correctly normalize and validate multi-line Transfer-Encoding headers, creating parsing inconsistencies. This is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests).
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends a specially crafted HTTP request to a Node.js application with a malformed multi-line Transfer-Encoding header. When this request passes through a reverse proxy or load balancer before reaching the Node.js backend, the two servers may interpret the request boundaries differently.
The attacker crafts a request where the multi-line Transfer-Encoding header causes the front-end proxy to see one request while the back-end Node.js server interprets it as multiple requests (or vice versa). This allows the attacker to "smuggle" a hidden request that bypasses front-end security controls, potentially hijacking responses meant for other users or poisoning shared caches.
For detailed technical information about the exploitation mechanics, refer to the HackerOne Report #1501679 which documents the original vulnerability disclosure.
Detection Methods for CVE-2022-32215
Indicators of Compromise
- Unexpected HTTP requests in server logs with malformed or multi-line Transfer-Encoding headers
- Cache entries containing unexpected or malicious content not matching legitimate application responses
- Anomalous session behavior where users receive responses intended for other users
- Server logs showing requests with unusual header folding patterns (whitespace-prefixed continuation lines)
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing multi-line or malformed Transfer-Encoding headers
- Deploy network intrusion detection systems (NIDS) with signatures for HTTP Request Smuggling patterns
- Monitor for requests containing both Transfer-Encoding and Content-Length headers simultaneously
- Audit application logs for requests with header values containing embedded line breaks or continuation characters
Monitoring Recommendations
- Enable detailed HTTP request logging on both front-end proxies and back-end Node.js servers to identify parsing discrepancies
- Implement anomaly detection for unusual patterns in request/response timing that may indicate smuggling attempts
- Monitor cache hit ratios and content integrity for signs of cache poisoning attacks
- Set up alerts for HTTP 400/502 errors that may indicate request parsing failures
How to Mitigate CVE-2022-32215
Immediate Actions Required
- Upgrade Node.js to version 14.20.1, 16.17.1, 18.9.1, or later immediately
- Review and update any directly imported llhttp dependencies to patched versions
- Configure front-end proxies to reject requests with malformed or multi-line Transfer-Encoding headers
- Audit application architecture to ensure consistent HTTP parsing across all components
Patch Information
Node.js released security patches addressing this vulnerability in July 2022. The fixed versions are Node.js 14.20.1, 16.17.1, and 18.9.1 or later. Organizations should upgrade to these patched versions or the latest LTS release. For detailed patch information, see the Node.js Security Blog Post.
Additional vendor advisories:
- Siemens Security Advisory SSA-332410 for SINEC INS
- Debian Security Advisory DSA-5326 for Debian Linux
Workarounds
- Configure reverse proxies (nginx, HAProxy) to normalize Transfer-Encoding headers before forwarding to Node.js backends
- Implement strict HTTP header validation at the edge to reject requests with header folding in Transfer-Encoding
- Use HTTP/2 end-to-end where possible, as HTTP/2 uses a different framing mechanism that is not susceptible to this class of vulnerability
- Deploy a WAF with HTTP Request Smuggling protection rules as an interim measure
# Example nginx configuration to mitigate HRS attacks
# Add to server or location block
# Reject requests with invalid Transfer-Encoding
if ($http_transfer_encoding ~* ".*[\r\n].*") {
return 400;
}
# Ensure only valid Transfer-Encoding values
if ($http_transfer_encoding !~ "^(chunked|compress|deflate|gzip|identity)?$") {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
