CVE-2021-22959: 
npm vulnerability analysis and mitigation

CVE-2021-22959 is a vulnerability discovered in the llhttp parser that affects versions prior to v2.1.4 and v6.0.6. The vulnerability occurs when the parser accepts requests with a space (SP) right after the header name before the colon, which can lead to HTTP Request Smuggling (HRS) (Node.js Blog).

The vulnerability is related to the HTTP parser's handling of header fields, specifically when there is a space character immediately following the header name before the colon. This implementation flaw can result in HTTP Request Smuggling, which is categorized under CWE-444 (Inconsistent Interpretation of HTTP Requests). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability could allow attackers to perform HTTP Request Smuggling attacks, potentially leading to unauthorized information disclosure and integrity violations. The CVSS scoring indicates that the vulnerability can result in low-level confidentiality and integrity impacts, with no availability impact (NVD).

The vulnerability has been fixed in llhttp versions v2.1.4 and v6.0.6. Users are advised to upgrade to these or later versions. Various distributions have also released patches, including Debian which addressed this in DSA-5170-1 (Debian Security).